DropBoq 



Hacking 



by Kevin Beaver 



Foreword by Stuart McClure 



WILEY 

Wiley Publishing, Inc. 



DropBooks 



DropBoq 



Hacking 



by Kevin Beaver 



Foreword by Stuart McClure 



WILEY 

Wiley Publishing, Inc. 



Hacking For Dummies' 

Published by 




Copyright © 2004 by Wiley Publishing, Inc., Indianapolis, Indiana 
Published by Wiley Publishing, Inc., Indianapolis, Indiana 
Published simultaneously in Canada 

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or 
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted 
under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis- 
sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright 
Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to 
the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 
Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, e-mail: permcoordi nator® 



Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the 
Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade 
dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United 
States and other countries, and may not be used without written permission. All other trademarks are the 
property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor 
mentioned in this book. 



GENERAL DISCLAIMER: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WAR- 
RANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK 
AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES 
OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY 
SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT 
BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE 
PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SER- 
VICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL 
PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR 
DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO 
IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT 
MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION 
OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD 
BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED 
BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. 



For general information on our other products and services or to obtain technical support, please contact 
our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 
317-572-4002. 

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may 
not be available in electronic books. 

Library of Congress Control Number: 2004101971 

ISBN: 0-7645-5784-X 

Manufactured in the United States of America 
10 987654321 
1B/RV/QU/QU/IN 



wi 1 ey . com. 




WILEY 



About the Author 



DropBookSe 

has over 1 



r and principal consultant of Principle Logic, LLC, Kevin Beaver 
has over 16 years of experience in IT and specializes in information security. 
Before starting his own information security services business, Kevin served 
in various information technology and security roles for several Fortune 
500 corporations and a variety of consulting, e-commerce, and educational 
institutions. In addition to ethical hacking, his areas of information security 
expertise include network and wireless network security, e-mail and instant 
messaging security, and incident response 

Kevin is also author of the book The Definitive Guide to Email Management and 
Security by Realtimepublishers.com and co-author of the book The Practical 
Guide to HIPAA Privacy and Security Compliance by Auerbach Publications. In 
addition, he is technical editor of the book Network Security For Dummies by 
Wiley Publishing, and a contributing author and editor of the book Healthcare 
Information Systems, 2 nd ed. by Auerbach Publications. 

Kevin is a regular columnist and information security expert advisor for 
SearchSecurity.com and SearchMobileComputing.com and is a Security Clinic 
Expert for ITsecurity.com. In addition, his information security work has been 
published in Information Security Magazine, HIMSS Journal of Healthcare 
Information Management, Advance for Health Information Executives as well 
as on SecurityFocus.com. Kevin is an information security instructor for the 
Southeast Cybercrime Institute and also frequently speaks on information 
security at various workshops and conferences around the U.S. including 
TechTarget's Decisions conferences, CSI, and the Southeast Cybercrime 
Summit. 



Kevin is the founder and president of the Technology Association of Georgia's 
Information Security Society and serves as an IT advisory board member for 
several universities and companies around the southeast. Kevin earned his 
bachelor's degree in Computer Engineering Technology from Southern Poly- 
technic State University and his master's degree in Management of Technology 
from Georgia Tech. He also holds CISSP, MCSE, Master CNE, and IT Project+ 
certifications. Kevin can be reached at kbea ver@pri nci pi el ogi c . com. 



Drop 



ft 



di cation 

OOKS Garrett, Master, and Murphy — through thick and thicker, we did it! 
I couldn't have written this book without the tremendous inspiration each of 
you have given me. You all make the world a better place — thanks for being 
here for me. 



Author's Acknowledgments 

First, I'd like to thank Melody Layne, my acquisitions editor at Wiley, for 
contacting me with this book idea, providing me this great opportunity, and 
for being so patient with me during the acquisitions, writing, and editing 
processes. Also, thanks to all the other members of the acquisitions team at 
Wiley who helped me shape my outline and initial chapter. 

I'd like to thank my project editor, Pat O'Brien, as well as Kim Darosett and the 
rest of the tireless editorial staff at Wiley for all of your hard work, patience, 
and great edits! Also, thanks to Terri Varveris for making the initial Dummies 
contact several years back in the Hungry Minds days and for introducing me 
to the team — you truly helped get this ball rolling. 

Major kudos go out to the security legend, Peter T. Davis, my technical editor. 
Your For Dummies experience and seemingly never-ending technical knowl- 
edge are a great asset to this book. I really appreciate your time and effort 
you've put forth, and I'm truly honored that you helped me on this project. 

I'd also like to thank Stuart McClure — the highly-talented security expert 
and phenomenal author — for writing the foreword. It's funny how this book 
turned out and how you still ended up being involved! Just look at what you 
created instead — you should be proud. 

To Ira Winkler, Dr. Philippe Oechslin, David Rhoades, Laura Chappell, Matt 
Caldwell, Thomas Akin, Ed Skoudis, and Caleb Sima — thank you all for doing 
such a great job with the case studies in this book! They're a perfect fit and 
each of you were true professionals and great to work with. I really appreciate 
your time and effort. 



soutnern 

Dote 

smartest 



I'd like to extend deep gratitude to Robert Dreyer — my favorite professor at 
Southern Poly — who piqued my technical interest in computer hardware and 
and who taught me way more about computer bits and bytes than I 
'd ever know. Also, thanks to my friend William Long — one of the 
smartest people I've ever known — for being the best computer and network 
mentor I could ever have. In addition, I'd like to thank John Cirami for show- 
ing me how to run that first DOS executable file off of that 5 1/4" floppy way 
back when and for helping me to get the ball rolling in my computer career. 

A well-deserved thanks also goes out to all my friends and colleagues — you 
know who you are — who helped provide feedback and advice about the title 
change. 



Finally, I'd like to thank Rik Emmett, Geoff Tate, Neil Peart, and all of their 
supporting band members for the awesome lyrics and melodies that inspired 
me to keep pushing forward with this book during the challenging times. 



Publisher's Acknowledgments 




is book; please send us your comments through our online registration form 

s . com/ regi ster/. 

helped bring this book to market include the following: 



Acquisitions, Editorial, and 
Media Development 

Project Editor: Pat O'Brien 

Acquisitions Editor: Melody Layne 

Senior Copy Editor: Kim Darosett 

Technical Editor: Peter T. Davis 

Editorial Manager: Kevin Kirschner 

Media Development Manager: Laura VanWinkle 

Media Development Supervisor: 

Richard Graves 

Editorial Assistant: Amanda Foxworth 
Cartoons: Rich Tennant, www . the5thwa ve . com 



Production 

Project Coordinator: Maridee Ennis 

Layout and Graphics: Andrea Dahl, 
Denny Hager, Lynsey Osborn, 
Heather Ryan, Jacque Schneider 

Proofreaders: Carl W. Pierce, Brian H. Walls, 
TECHBOOKS Production Services 

Indexer: TECHBOOKS Production Services 



Publishing and Editorial for Technology Dummies 

Richard Swadley, Vice President and Executive Group Publisher 

Andy Cummings, Vice President and Publisher 

Mary C. Corder, Editorial Director 
Publishing for Consumer Dummies 

Diane Graves Steele, Vice President and Publisher 

Joyce Pepple, Acquisitions Director 
Composition Services 

Gerry Fahey, Vice President of Production Services 

Debbie Stailey, Director of Composition Services 



DropBook£ on,en,s at a Glance 

Foreword jeOii 

Introduction / 

Part 1: Building the foundation for Ethical Hackinq 7 

Chapter 1: Introduction to Ethical Hacking 9 

Chapter 2: Cracking the Hacker Mindset 21 

Chapter 3: Developing Your Ethical Hacking Plan 29 

Chapter 4: Hacking Methodology 39 

Part 11: Putting Ethical Hacking in Motion 53 

Chapter 5: Social Engineering 55 

Chapter 6: Physical Security 69 

Chapter 7: Passwords 79 

Part 111: Network Hacking 103 

Chapter 8: War Dialing 105 

Chapter 9: Network Infrastructure 117 

Chapter 10: Wireless LANs 147 

Part IV: Operating System Hacking 165 

Chapter 11: Windows 167 

Chapter 12: Linux 193 

Chapter 13: Novell NetWare 215 

Part V: Application Hacking 235 

Chapter 14: Malware 237 

Chapter 15: Messaging Systems 257 

Chapter 16: Web Applications 279 

Part VI: Ethical Hacking Aftermath 297 

Chapter 17: Reporting Your Results 299 

Chapter 18: Plugging Security Holes 305 

Chapter 19: Managing Security Changes 311 



Part (Ah The Part of Jens 317 

ChaDtei|2Q: l^n Tips for Getting Upper Management Buy-In 319 

©fe0iK:§n Deadly Mistakes 323 

Part (/111: Appendixes 327 

Appendix A: Tools and Resources 329 

Appendix B: About the Book Web Site 337 

Index 339 



DropBooks Table 0f Con,en,S 



Foreword kOH 

Introduction / 

Who Should Read This Book? 1 

About This Book 2 

How to Use This Book 2 

What You Don't Need to Read 3 

Foolish Assumptions 3 

How This Book Is Organized 3 

Part I: Building the Foundation for Ethical Hacking 4 

Part II: Putting Ethical Hacking in Motion 4 

Part III: Network Hacking 4 

Part IV: Operating System Hacking 4 

Part V: Application Hacking 5 

Part VI: Ethical Hacking Aftermath 5 

Part VII: The Part of Tens 5 

Part VIII: Appendixes 5 

Icons Used in This Book 6 

Where to Go from Here 6 

Part 1: Building the Foundation for Ethical Hacking 7 

Chapter 1: Introduction to Ethical Hacking 9 

How Hackers Beget Ethical Hackers 9 

Defining hacker 9 

Ethical Hacking 101 10 

Understanding the Need to Hack Your Own Systems 11 

Understanding the Dangers Your Systems Face 12 

Nontechnical attacks 12 

Network-infrastructure attacks 13 

Operating-system attacks 13 

Application and other specialized attacks 13 

Obeying the Ethical hacking Commandments 14 

Working ethically 14 

Respecting privacy 14 

Not crashing your systems 15 

The Ethical hacking Process 15 

Formulating your plan 15 

Selecting tools 17 

Executing the plan 19 

Evaluating results 20 

Moving on 20 



Hacking For Dummies 



pB00r 



Chapter 2: Cracking the Hacker Mindset 21 

What You're Up Against 21 

VQ> Hacks 22 

Wby Hackers Hack 24 

Planning and Performing Attacks 26 

Maintaining Anonymity 27 



Chapter 3: Developing Your Ethical Hacking Plan 29 

Getting Your Plan Approved 29 

Establishing Your Goals 30 

Determining What Systems to Hack 32 

Creating Testing Standards 33 

Timing 34 

Specific tests 34 

Blind versus knowledge assessments 35 

Location 36 

Reacting to major exploits that you find 36 

Silly assumptions 36 

Selecting Tools 37 

Chapter 4: Hacking Methodology 39 

Setting the Stage 39 

Seeing What Others See 41 

Gathering public information 41 

Mapping the network 43 

Scanning Systems 45 

Hosts 46 

Modems and open ports 46 

Determining What's Running on Open Ports 47 

Assessing Vulnerabilities 49 

Penetrating the System 51 

Part 11: Putting Ethical Hacking in Motion 53 

Chapter 5: Social Engineering 55 

Social Engineering 101 55 

Before You Start 56 

Why Hackers Use Social Engineering 58 

Understanding the Implications 58 

Performing Social-Engineering Attacks 59 

Fishing for information 60 

Building trust 62 

Exploiting the relationship 63 

Social-Engineering Countermeasures 65 

Policies 66 

User awareness 66 



Table of Contents 



pBooks 



Chapter 6: Physical Security 69 

Physical-Security Vulnerabilities 69 

t to Look For 70 

Building infrastructure 72 

Utilities 73 

Office layout and usage 74 

Network components and computers 75 



Chapter 7: Passwords 79 

Password Vulnerabilities 79 

Organizational password vulnerabilities 80 

Technical password vulnerabilities 82 

Cracking Passwords 82 

Cracking passwords the old-fashioned way 83 

High-tech password cracking 85 

General password-hacking countermeasures 91 

Password-protected files 95 

Other ways to crack passwords 97 

Securing Operating Systems 101 

Windows 101 

Linux and UNIX 102 

Part 111: NetWork Hackinq 103 

Chapter 8: War Dialing 105 

War Dialing 105 

Modem safety 105 

General telephone-system vulnerabilities 106 

Attacking 106 

Countermeasures 114 

Chapter 9: Network Infrastructure 117 

Network Infrastructure Vulnerabilities 1 19 

Choosing Tools 120 

Scanners 120 

Vulnerability assessment 121 

Scanning, Poking, and Prodding 121 

Port scanners 121 

SNMP scanning 129 

Banner grabbing 130 

Firewall rules 131 

Looking through a network analyzer 134 

The MAC-daddy attack 140 

Denial of service 144 

General network defenses 146 



Hacking For Dummies 



pBooki 



Chapter 10: Wireless LANs 147 

Understanding the Implications of Wireless Network Vulnerabilities ....147 

>osing Your Tools 148 

less LAN Discovery 151 

Checking for worldwide recognition 151 

Scanning your local airwaves 152 

Wireless Network Attacks 154 

Encrypted traffic 155 

Countermeasures 156 

Rogue networks 158 

Countermeasures 159 

Physical-security problems 160 

Countermeasures 160 

Vulnerable wireless workstations 161 

Countermeasures 161 

Default configuration settings 162 

Countermeasures 163 



Part W: Operating System Hacking 165 

Chapter 11: Windows 167 

Windows Vulnerabilities 168 

Choosing Tools 168 

Essential tools 169 

Free Microsoft tools 169 

All-in-one assessment tools 170 

Task-specific tools 1 70 

Information Gathering 171 

System scanning 171 

NetBIOS 174 

RPC 177 

Enumeration 178 

Countermeasures 178 

Null Sessions 179 

Hacks 179 

Countermeasures 184 

Share Permissions 186 

Windows defaults 186 

Testing 187 

General Security Tests 189 

Windows Update 189 

Microsoft Baseline Security Analyzer (MBSA) 190 

LANguard 191 

Chapter 12: Linux 193 

Linux Vulnerabilities 194 

Choosing Tools 194 



Table of Contents 



DropBocfe 



Information Gathering 195 

System scanning 195 

Countermeasures 199 

eded Services 200 

Searches 200 

Countermeasures 202 

.rhosts and hosts. equiv Files 204 

Hacks 204 

Countermeasures 205 

NFS 206 

Hacks 206 

Countermeasures 207 

File Permission 207 

Hacks 207 

Countermeasures 207 

Buffer Overflows 208 

Attacks 209 

Countermeasures 209 

Physical Security 209 

Hacks 210 

Countermeasures 210 

General Security Tests 211 

Patching Linux 212 

Distribution updates 213 

Multiplatform update managers 213 

Chapter 13: Novell NetWare 215 

NetWare Vulnerabilities 215 

Choosing Tools 216 

Getting Started 216 

Server access methods 217 

Port scanning 217 

NCPQuery 219 

Countermeasures 220 

Authentication 220 

Rconsole 221 

Server-console access 224 

Intruder detection 224 

Rogue NLMs 225 

Clear-text packets 229 

General Best Practices for Minimizing NetWare Security Risks 230 

Rename admin 231 

Disable eDirectory browsing 231 

Removing bindery contexts 233 

System auditing 233 

TCP/IP parameters 234 

Patching 234 



Hacking For Dummies 



Part V: Application Hacking 235 



pBo©te 



4:Malware 237 



mplications of Malware Attacks 237 

Types of Malware 239 

Trojan horses 239 

Viruses 240 

Worms 240 

Rootkits 240 

Spyware 241 

Built-in programming interfaces 241 

Logic bombs 242 

Security tools 242 

How Malware Propagates 243 

Automation 243 

E-mail 243 

Hacker backdoors 244 

Testing 244 

Vulnerable malware ports 244 

Manual assessment 245 

Antivirus software testing 249 

Network scanning 250 

Behavioral-analysis tools 253 

Malware Countermeasures 253 

General system administration 253 

E-mails 255 

Files 255 

Chapter 15: Messaging Systems 257 

Messaging-System Vulnerabilities 257 

E-Mail Attacks 258 

E-mail bombs 258 

Banners 263 

SMTP attacks 265 

General best practices for minimizing e-mail security risks 271 

Instant Messaging 272 

Vulnerabilities 272 

Countermeasures 275 

Chapter 16: Web Applications 279 

Web-Application Vulnerabilities 279 

Choosing Your Tools 280 

Insecure Login Mechanisms 280 

Testing 280 

Countermeasures 283 

Directory Traversal 283 

Testing 283 

Countermeasures 285 



Table of Contents 



ipBooks 



Input Filtering 285 

Input attacks 286 

Countermeasures 289 

ult Scripts 289 

Attacks 289 

Countermeasures 290 

URL Filter Bypassing 290 

Bypassing filters 290 

Countermeasures 292 

Automated Scans 292 

Nikto 292 

Weblnspect 292 

General Best Practices for Minimizing 

Web-Application Security Risks 294 

Obscurity 294 

Firewalls 295 



Part Vh Ethical Hacking Aftermath 297 

Chapter 17: Reporting Your Results 299 

Pulling the Results Together 299 

Prioritizing Vulnerabilities 301 

Reporting Methods 302 

Chapter 18: Plugging Security Holes 305 

Turning Your Reports into Action 305 

Patching for Perfection 306 

Patch management 306 

Patch automation 307 

Hardening Your Systems 308 

Assessing Your Security Infrastructure 309 

Chapter 19: Managing Security Changes 311 

Automating the Ethical Hacking Process 311 

Monitoring Malicious Use 312 

Outsourcing Ethical Hacking 313 

Instilling a Security-Aware Mindset 315 

Keeping Up with Other Security Issues 316 

Part Vlh The Part of Tens 317 

Chapter 20: Ten Tips for Getting Upper Management Buy-In 319 

Cultivate an Ally and Sponsor 319 

Don't Be a FUDdy Duddy 319 

Demonstrate How the Organization Can't Afford to Be Hacked 320 

Outline the General Benefits of Ethical Hacking 320 



Hacking For Dummies 



pBoo 



Show How Ethical Hacking Specifically Helps the Organization 321 

Get Involved in the Business 321 

blish Your Credibility 321 

k on Their Level 322 

Show Value in Your Efforts 322 

Be Flexible and Adaptable 322 



Chapter 21 : Ten Deadly Mistakes 323 

Not Getting Approval in Writing 323 

Assuming That You Can Find All Vulnerabilities During Your Tests ....324 

Assuming That You Can Eliminate All Security Vulnerabilities 324 

Performing Tests Only Once 324 

Pretending to Know It All 325 

Running Your Tests without Looking at Things 

from a Hacker's Viewpoint 325 

Ignoring Common Attacks 325 

Not Using the Right Tools 325 

Pounding Production Systems at the Wrong Time 326 

Outsourcing Testing and Not Staying Involved 326 



Part V1U: Appendixes 327 

Appendix A: Tools and Resources 329 

Awareness and Training 329 

Dictionary Files and Word Lists 329 

General Research Tools 330 

Hacker Stuff 330 

Linux 331 

Log Analysis 331 

Malware 331 

Messaging 332 

NetWare 332 

Networks 332 

Password Cracking 333 

War Dialing 334 

Web Applications 334 

Windows 334 

Wireless Networks 335 

Appendix B: About the Book Web Site 337 



339 



DropBooks ForeWOrd 

£ittle more than 10 years ago, security was barely a newborn in diapers. 
With only a handful of security professionals in 1994, few practiced secu- 
rity and even fewer truly understood it. Security technologies amounted to 
little more than anti-virus software and packet filtering routers at that time. 
And the concept of a "hacker" came primarily from the Hollywood movie "War 
Games"; or more often it referred to someone with a low golf score. As a result, 
just like Rodney Dangerfield it got "no respect" and no one took it seriously. 
IT professionals saw it largely as a nuisance, to be ignored — that is until 
they were impacted by it. 

Today, the number of Certified Information Systems Security Professionals 
(CISSP) have topped 23,000 (www.isc2.org) worldwide, and there are more 
security companies dotting the landscape than anyone could possibly remem- 
ber. Today security technologies encompass everything from authentication 
and authorization, to firewalls and VPNs. There are so many ways to address 
the security problem that it can cause more than a slight migraine simply con- 
sidering the alternatives. And the term "hacker" has become a permanent part 
of our everyday vernacular — as defined in nearly daily headlines. The world 
(and its criminals) has changed dramatically. 

So what does all this mean for you, the home/end user or IT/security profes- 
sional that is thrust into this dangerous online world every time you hit the 
power button on your computer? The answer is "everything". The digital 
landscape is peppered with land mines that can go off with the slightest 
touch or, better yet, without any provocation whatsoever. Consider some 
simple scenarios: 

f* Simply plugging into the Internet without a properly configured firewall 
can get you hacked before the pizza is delivered, within 30 minutes 
or less. 

V Opening an email attachment from a family member, friend, or work col- 
league can install a backdoor on your system allowing a hacker free 
access to your computer. 

Downloading and executing a file via your Internet Messaging (IM) pro- 
gram can turn your pristine desktop into a Centers for Disease Control 
(CDC) hotzone, complete with the latest alphabet soup virus. 

v 0 Browsing to an innocent (and trusted) website can completely compro- 
mise your computer, allowing a hacker to read your sensitive files or 
worse delete them. 



)C(Jt 1 1 Hacking For Dummies 



Trust me when we say the likelihood of becoming an Internet drive-by statistic 
on the information superhighway is painfully real. 



jJapNp^n asked, "Is the fear, uncertainty, and doubt (FUD) centered on cybert- 
errorism justified? Can cyber-terrorists really affect our computer systems 
and our public infrastructure as some have prognosticated like new age 
Nostradamus soothsayers? The answer I always give is "Unequivocally, yes". 
The possibility of a digital Pearl Harbor is closer than many think. Organized 
terrorist cells like Al Qaeda are raided almost weekly, and when computers are 
discovered, their drives are filled with cyber hacking plans, U.S. infrastructure 
blueprints, and instructions on attacking U.S. computer and infrastructure 



Do you believe the energy commissions report about the biggest power outage 
in U.S history? The one that on August 14, 2003 left l/5 th of the U.S. population 
without power (about 50 million people) for over 12 hours? Do you believe that 
it has to do with untrimmed trees and faulty control processes? If you believe 
in Occam's Razor, then yes, the simplest explanation is usually the correct one 
but remember this: the power outage hit just three days after the Microsoft 
Blaster worm, one of the most vicious computer worms ever unleashed on 
the Internet, first hit. Coincidence? Perhaps. 

Some of you may be skeptical, saying "Well, if the threat is so real, why hasn't 
something bad happened yet?" I respond simply, "If I had come to you on 
Sept. 10, 2001, and said that in the near future people would use commercial 
airplanes as bombs to kill over 3,000 people in the matter of 5 hours, would 
you believe me?" I understand your skepticism. And you should be skeptical. 
But we are asking for your trust, and your faith, before something bad happens. 
Trust that we know the truth, we know what is possible, and we know the 
mind of the enemy. I think we can all agree on at least one thing, we cannot 
allow them to succeed. 

Every minute of every day there are governments, organized crime, and hacker 
groups turning the doors on your house looking for an unlocked entry They 
are rattling the windows and circling your domicile, looking for a weakness, a 
vulnerability, or a way into your house. Are you going to let them in? Are you 
going to sit idly by and watch as they ransack your belongings, make use of 
your facilities, and desecrate your sanctuary? Or are you going to empower 
yourself, educate yourself, and prevent them from winning? The actions you 
take today will ultimately answer that question. 

Do not despair, all hope is not lost. Increasing security is more of a mindset 
than anything else. Security is akin to working out. If you don't do it regularly, 
it won't become a part of your lifestyle. And if it doesn't become a part of your 
lifestyle, it will quickly become something you can forego and avoid. In other 
words, you won't be fit. Same thing applies for security. If you don't realize that 
it is a process, not a goal, then you will never make it part of your everyday 
wellness routine, as a result it quickly becomes something you forego and 
avoid. And if you avoid it, you will eventually be bit by it. 




targets. 



« 

Foreword )Cl)C 



know ma> 

DropBodte 

Dummies 



The greatest gift you can give yourself is that of education. What you don't 
know may not kill you but it may seriously impact you or someone you care 
owing what you don't know is the real trick. And filling in the gaps 
dge is paramount to preventing a significant attack. Hacking For 
can fill in those gaps. Kevin has done a remarkable job in presenting 
material that is valuable and unique in that it covers hacking methodologies 
for Windows, Novell, and Linux, as well as such little covered topics as physi- 
cal security, social engineering, and malware. The varied coverage of security 
topics in this book is what helps you more completely understand the mind 
of the hacker and how they work; and it will ultimately be the singular reason 
you may avoid an attack in the future. Read it carefully. Learn from it. And 
practice what it says in every area you can. 

Make no mistake; the digital battlefield is very real. It has no beginning, it has 
no ending, it has no boundaries, and it has no rules. Read this book, learn 
from it and defend yourself or we may lose this digital war. 

Stuart McClure is a world-renowned information security expert, founder and co- 
author of the highly-popular Hacking Exposed series of books, and founder and 
President and Chief Technology Officer of Foundstone, Inc., experts in strategic 
security. He can be reached at stu@foundstone.com. 



Hacking For Dummies 



DropBooks 



DropBooks ln,roduC,ion 



m My elcome to Hacking For Dummies. This book outlines computer hacker 
ww tricks and techniques — in plain English — to assess the security of 
your own information systems, find security vulnerabilities, and fix the vul- 
nerabilities before malicious and criminal hackers have an opportunity to 
take advantage of them. This hacking is the professional, aboveboard, and 
legal type of security testing — which I call ethical hacking throughout the 
book. Computer and network security is a complex subject and an ever- 
moving target. You must stay on top of it to ensure your information is pro- 
tected from the bad guys. 

You can implement all the security technologies and other best practices 
possible, and your information systems may be secure — as far as you know. 
However, until you understand how hackers think and apply that knowledge 
to assess your systems from a hacker's-eye view, you can't get a true sense of 
how secure your information really is. 

Ethical hacking — sometimes referred to as penetration testing or white-hat 
hacking — is a necessary requirement to ensure that information systems are 
truly secure on an ongoing basis. This book provides you with the knowledge 
required to successfully implement an ethical hacking program, along with 
countermeasures that you can implement to keep malicious hackers out of 
your business. 



Who Should Read This Book) 



If you want to hack other people's computer systems maliciously, this book is 
not for you. 

Disclaimer: If you choose to use the information in this book to hack or break 
into computer systems maliciously in an unauthorized fashion, you're on your 
own. Neither I, as the author, nor anyone else associated with this book shall 
be liable or responsible for any unethical or criminal choices that you may 
make and execute using the methodologies and tools that I describe. This 
book is intended solely for the IT professional to test information security in 
an authorized fashion. 



Hacking For Dummies 



you 11 you 
more secu 



Okay, now that that's out of the way, time for the good stuff! This book is for 
you if you're a network administrator, information-security manager, security 
t, or someone interested in finding out more about legally and ethi- 
ing your own or a customer's information systems to make them 
more secure. 



As the ethical hacker performing well-intended information-security assess- 
ments, you can detect and point out security holes that may otherwise be 
overlooked. If you're performing these tests on your own systems, the infor- 
mation you uncover in your tests can help you win over management and 
prove that information security should be taken seriously. Likewise, if you're 
performing these tests for your customers, you can help find security holes 
that can be plugged before malicious hackers have a chance to exploit them. 

The information in this book helps you stay on top of the security game and 
enjoy the fame and glory that comes with helping your organization and cus- 
tomers prevent bad things from happening to their information. 



About This Book 

Hacking For Dummies is a reference guide on hacking computers and network 
systems. The ethical hacking techniques are based on the unwritten rules of 
computer system penetration testing and information-security best practices. 
This book covers everything from establishing your hacking plan to testing 
your systems to managing an ongoing ethical hacking program. Realistically, 
for many networks, operating systems, and applications, thousands of possi- 
ble hacks exist. I cover the major ones that you should be concerned about. 
Whether you need to assess security vulnerabilities on a small home-office 
network, a medium-size corporate network, or across large enterprise sys- 
tems, Hacking For Dummies provides the information you need. 



Hou? to Use This Book 

This book includes the following features: 

Various technical and nontechnical hack attacks and their detailed 
methodologies 

Hack-attack case studies from well-known and anonymous hackers and 
other security experts 

u* Specific countermeasures to protect against hack attacks 

Each chapter is an individual reference on a specific ethical hacking subject. 
You can refer to individual chapters that pertain to the type of systems you're 
assessing, or you can read the book straight through. 



Introduction 



tion in ra: 

ipBoote 



Before you start hacking your systems, familiarize yourself with the informa- 
tion in Part I so you're prepared for the tasks at hand. The adage "if you fail 
ou plan to fail" rings true for the ethical hacking process. You must 
n permission and have a solid game plan. 



This material is not intended to be used for unethical or illegal hacking pur- 
poses to propel you from script kiddie to mega hacker. Rather, it is designed 
to provide you with the knowledge you need to hack your own or your cus- 
tomers' systems — in an ethical and legal manner — to enhance the security 
of the information involved. 



What l/ou don't Meed to Read 



Depending on your computer and network configurations, you may be able to 
skip chapters. For example, if you aren't running Linux or wireless networks, 
you can skip those chapters. 



Foolish Assumptions 

I make a few assumptions about you, aspiring information-security person: 

i>* You're familiar with basic computer-, network-, and information-security- 
related concepts and terms. 

*** You have a basic understanding of what hackers do. 

You have access to a computer and a network on which to test these 
techniques. 

You have access to the Internet in order to obtain the various tools used 
in the ethical hacking process. 

You have permission to perform the hacking techniques in this book. 



HouJ This Book Is Organized 

This book is organized into eight parts — six regular chapter parts, a Part of 
Tens, and a part with appendixes. These parts are modular, so you can jump 
around from one part to another as needed. Each chapter provides practical 
methodologies and best practices you can utilize as part of your ethical hack- 
ing efforts, including checklists and references to specific tools you can use, 
as well as resources on the Internet. 



Hacking For Dummies 



Part 1: Building the Foundation 
•pBOC^KS^*' Hacking 



This part covers the fundamental aspects of ethical hacking. It starts with an 
overview of the value of ethical hacking and what you should and shouldn't 
do during the process. You get inside the hacker's mindset and discover how 
to plan your ethical hacking efforts. This part covers the steps involved in 
the ethical hacking process, including how to choose the proper tools. 



Part 11: Putting Ethical Hacking in Motion 

This part gets you rolling with the ethical hacking process. It covers several 
well-known hack attacks, including social engineering and cracking pass- 
words, to get your feet wet. The techniques presented are some of the most 
widely used hack attacks. This part covers the human and physical elements 
of security, which tend to be the weakest links in any information-security 
program. After you plunge into these topics, you'll know the tips and tricks 
required to perform common general hack attacks against your systems, as 
well as specific countermeasures to keep your information systems secure. 



Part 111: NetWork Hacking 

Starting with the larger network in mind, this part covers methods to test 
your systems for various well-known network infrastructure vulnerabilities. 
From weaknesses in the TCP/IP protocol suite to wireless network insecuri- 
ties, you find out how networks are compromised using specific methods of 
flawed network communications, along with various countermeasures that 
you can implement to keep from becoming a victim. This part also includes 
case studies on some of the network hack attacks that are presented. 



Part IV: Operating System Hacking 

Practically all operating systems have well-known vulnerabilities that hackers 
often use. This part jumps into hacking three widely used operating systems: 
Windows, Linux, and NetWare. The hacking methods include scanning your 
operating systems for vulnerabilities and enumerating the specific hosts to 
gain detailed information. This part also includes information on exploiting 
well-known vulnerabilities in these operating systems, taking over operating 
systems remotely, and specific countermeasures that you can implement to 
make your operating systems more secure. This part also includes case stud- 
ies on operating-system hack attacks. 



Introduction 



pBocfe 



Part Vi Application Hacking 



on security is gaining more visibility in the information-security arena 
ys. An increasing number of attacks are aimed directly at various 
applications, which are often able to bypass firewalls, intrusion-detection 
systems, and antivirus software. This part discusses hacking specific appli- 
cations, including coverage on malicious software and messaging systems, 
along with practical countermeasures that you can put in place to make your 
applications more secure. 

One of the most common network attacks is on Web applications. Practically 
every firewall lets Web traffic into and out of the network, so most attacks are 
against the millions of Web applications available to almost anyone. This part 
covers Web application hack attacks, countermeasures, and some application 
hacking case studies for real-world security testing scenarios. 



Part Vli Ethical Hacking Aftermath 

After you've performed your ethical hack attacks, what do you do with the 
information you've gathered? Shelve it? Show it off? How do you move for- 
ward? This part answers all these questions and more. From developing 
reports for upper management to remediating the security flaws that you dis- 
cover to establishing procedures for your ongoing ethical hacking efforts, 
this part brings the ethical hacking process full circle. This information not 
only ensures that your effort and time are well spent, but also is evidence 
that information security is as an essential element for success in any busi- 
ness that depends on computers and information technology. 



Part (/ll: The Part of Tens 

This part contains tips to help ensure the success of your ethical hacking 
program. You find out how to get upper management to buy into your ethical 
hacking program so you can get going and start protecting your systems. This 
part also includes the top ten ethical hacking mistakes to avoid and my top 
ten tips for ethical hacking success. 



Part Vl\h Appendixes 

This part includes two appendixes that cover ethical hacking reference mate- 
rials. This includes a one-stop reference listing of ethical hacking tools and 
resources, as well as information on the Hacking For Dummies Web site. 



Hacking For Dummies 




Icons Used in This Book 

^^J^^^ points out technical information that is interesting but not vital to 
your understanding of the topic being discussed. 



This icon points out information that is worth committing to memory. 



This icon points out information that could have a negative impact on your 
ethical hacking efforts — so please read it! 



This icon refers to advice that can help highlight or clarify an important 
point. 



Where to Go from Here 

The more you know about how hackers work and how your systems should 
be tested, the better you're able to secure your computer systems. This book 
provides the foundation that you need to develop and maintain a successful 
ethical-hacking program for your organization and customers. Keep in mind 
that the high-level concepts of ethical hacking won't change as often as the 
specific information-security vulnerabilities you're protecting against. The art 
and science of ethical hacking will always remain an art and a science — and 
a field that's ever-changing. You must keep up with the latest hardware and 
software technologies, along with the various vulnerabilities that come about 
year after year. No one best way to hack your systems ethically exists, so 
tweak this information to your heart's content. Happy (ethical) hacking! 



Parti 



n q . Building the 

DropBooks- . , 

Toundation for 
Ethical Hacking 



The 5 th Wave 



By Rich Tennant 




"UeyTVulip/ 1 think vie're in. I'm goma twj linking 
directly -to the screen, but ^ivnme a d%uis£ in 
case it works. I don't want all c£ New "Sfo*K to 
know Jerry BeMavto o£ 14 Queensbevrg, "B^onx. TiW, 
hacked into the Times Sqoave video screen ." 



DropBooks 



In this part . . . 

\m our mission — should you choose to accept it — is to 
find the holes in your network before the bad guys do. 
This mission will be fun, educational, and most likely enter- 
taining. It will certainly be an eye-opening experience. The 
cool part is that you can emerge as the hero, knowing that 
your company will be better protected against hacker 
attacks and less likely to have its name smeared across 
the headlines at any time. 

If you're new to ethical hacking, this is the place to begin. 
The chapters in this part will get you started with informa- 
tion on what to do and how to do it when you're hacking 
your own systems. Oh, and also, you find out what not to 
do as well. This information will guide you through building 
the foundation for your ethical hacking program to make 
sure you're going down the right path so you don't veer 
off and end up going down a one-way dead-end street. 




In This Chapter 

Understanding hacker objectives 

Outlining the differences between ethical hackers and malicious hackers 
Examining how the ethical hacking process has come about 
Understanding the dangers that your computer systems face 
Starting the ethical hacking process 



This book is about hacking ethically — the science of testing your comput- 
ers and network for security vulnerabilities and plugging the holes you 
find before the bad guys get a chance to exploit them. 

Although ethical is an often overused and misunderstood word, the Merriam- 
Webster dictionary defines ethical perfectly for the context of this book and 
the professional security testing techniques that I cover — that is, conforming 
to accepted professional standards of conduct. IT practitioners are obligated to 
perform all the tests covered in this book aboveboard and only after permis- 
sion has been obtained by the owner(s) of the systems — hence the disclaimer 
in the introduction. 

Hou) Hackers Beget Ethical Hackers 

We've all heard of hackers. Many of us have even suffered the consequences 
of hacker actions. So who are these hackers? Why is it important to know 
about them? The next few sections give you the lowdown on hackers. 

Defining hacker 

Hacker \s a word that has two meanings: 



Traditionally, a hacker is someone who likes to tinker with software or 
electronic systems. Hackers enjoy exploring and learning how computer 
systems operate. They love discovering new ways to work electronically. 



Part I: Building the Foundation for Ethical Hacking 



pBooks 

reve 



i>* Recently, hacker has taken on a new meaning — someone who maliciously 
breaks into systems for personal gain. Technically, these criminals are 



kers (criminal hackers). Crackers break into (crack) systems with 
fcious intent. They are out for personal gain: fame, profit, and even 
revenge. They modify, delete, and steal critical information, often making 
other people miserable. 



The good-guy (white-hat) hackers don't like being in the same category as the 
bad-guy (black-hat) hackers. (These terms come from Western movies where 
the good guys wore white cowboy hats and the bad guys wore black cowboy 
hats.) Whatever the case, most people give hacker a negative connotation. 



Many malicious hackers claim that they don't cause damage but instead are 
altruistically helping others. Yeah, right. Many malicious hackers are elec- 




tronic thieves. 

In this book, I use the following terminology: 
i>* Hackers (or bad guys) try to compromise computers. 



Ethical hackers (or good guys) protect computers against illicit entry. 



Hackers go for almost any system they think they can compromise. Some 
prefer prestigious, well-protected systems, but hacking into anyone's system 
increases their status in hacker circles. 



Ethical Hacking 101 

You need protection from hacker shenanigans. An ethical hacker possesses 
the skills, mindset, and tools of a hacker but is also trustworthy. Ethical hack- 
ers perform the hacks as security tests for their systems. 

If you perform ethical hacking tests for customers or simply want to add 
another certification to your credentials, you may want to consider the ethi- 
cal hacker certification Certified Ethical Hacker, which is sponsored by EC- 
Council. See www .eccouncil .org/CEH.htmfor more information. 

Ethical hacking — also known as penetration testing or white-hat hacking — 
involves the same tools, tricks, and techniques that hackers use, but with one 
major difference: Ethical hacking is legal. Ethical hacking is performed with 
the target's permission. The intent of ethical hacking is to discover vulnera- 
bilities from a hacker's viewpoint so systems can be better secured. It's part 
of an overall information risk management program that allows for ongoing 
security improvements. Ethical hacking can also ensure that vendors' claims 
about the security of their products are legitimate. 



Chapter 1: Introduction to Ethical Hacking 



To hack your own systems like the bad guys, you must think like they think. 
It's absolutely critical to know your enemy; see Chapter 2 for details. 



•pBooks 

Understanding the Meed to 
Hack \lour Own Systems 



To catch a thief, think like a thief. That's the basis for ethical hacking. 

The law of averages works against security. With the increased numbers and 
expanding knowledge of hackers combined with the growing number of system 
vulnerabilities and other unknowns, the time will come when all computer 
systems are hacked or compromised in some way. Protecting your systems 
from the bad guys — and not just the generic vulnerabilities that everyone 
knows about — is absolutely critical. When you know hacker tricks, you can 
see how vulnerable your systems are. 

Hacking preys on weak security practices and undisclosed vulnerabilities. 
Firewalls, encryption, and virtual private networks (VPNs) can create a false 
feeling of safety. These security systems often focus on high-level vulnerabili- 
ties, such as viruses and traffic through a firewall, without affecting how hack- 
ers work. Attacking your own systems to discover vulnerabilities is a step to 
making them more secure. This is the only proven method of greatly hardening 
your systems from attack. If you don't identify weaknesses, it's a matter of 
time before the vulnerabilities are exploited. 

As hackers expand their knowledge, so should you. You must think like them 
to protect your systems from them. You, as the ethical hacker, must know 
activities hackers carry out and how to stop their efforts. You should know 
what to look for and how to use that information to thwart hackers' efforts. 




You don't have to protect your systems from everything. You can't. The only 
protection against everything is to unplug your computer systems and lock 
them away so no one can touch them — not even you. That's not the best 
approach to information security. What's important is to protect your sys- 
tems from known vulnerabilities and common hacker attacks. 



It's impossible to buttress all possible vulnerabilities on all your systems. You 
can't plan for all possible attacks — especially the ones that are currently 
unknown. However, the more combinations you try — the more you test whole 
systems instead of individual units — the better your chances of discovering 
vulnerabilities that affect everything as a whole. 

Don't take ethical hacking too far, though. It makes little sense to harden your 
systems from unlikely attacks. For instance, if you don't have a lot of foot traffic 



Part I: Building the Foundation for Ethical Hacking 



pBodks 

Your ovei 



in your office and no internal Web server running, you may not have as much 
to worry about as an Internet hosting provider would have. However, don't 
out insider threats from malicious employees! 



Your overall goals as an ethical hacker should be as follows: 

Hack your systems in a nondestructive fashion. 

v* Enumerate vulnerabilities and, if necessary, prove to upper management 
that vulnerabilities exist. 

Apply results to remove vulnerabilities and better secure your systems. 



Understanding the Dangers 
l/aur Systems Face 

It's one thing to know that your systems generally are under fire from hackers 
around the world. It's another to understand specific attacks against your sys- 
tems that are possible. This section offers some well-known attacks but is by 
no means a comprehensive listing. That requires its own book: Hack Attacks 
Encyclopedia, by John Chirillo (Wiley Publishing, Inc.). 

Many information-security vulnerabilities aren't critical by themselves. 
However, exploiting several vulnerabilities at the same time can take its toll. 
For example, a default Windows OS configuration, a weak SQL Server admin- 
istrator password, and a server hosted on a wireless network may not be 
major security concerns separately. But exploiting all three of these vulnera- 
bilities at the same time can be a serious issue. 



Nontechnical attacks 

Exploits that involve manipulating people — end users and even yourself — 
are the greatest vulnerability within any computer or network infrastructure. 
Humans are trusting by nature, which can lead to social-engineering exploits. 
Social engineering is defined as the exploitation of the trusting nature of human 
beings to gain information for malicious purposes. I cover social engineering 
in depth in Chapter 5. 

Other common and effective attacks against information systems are physical. 
Hackers break into buildings, computer rooms, or other areas containing crit- 
ical information or property. Physical attacks can include dumpster diving 
(rummaging through trash cans and dumpsters for intellectual property, 
passwords, network diagrams, and other information). 



Chapter 1: Introduction to Ethical Hacking 



DropBocte 



Network-infrastructure attacks 



ftacks against network infrastructures can be easy, because many 
can be reached from anywhere in the world via the Internet. Here 
are some examples of network-infrastructure attacks: 

u* Connecting into a network through a rogue modem attached to a 
computer behind a firewall 

V Exploiting weaknesses in network transport mechanisms, such as TCP/IP 
and NetBIOS 

f* Flooding a network with too many requests, creating a denial of service 
(DoS) for legitimate requests 

Installing a network analyzer on a network and capturing every packet 
that travels across it, revealing confidential information in clear text 

i>* Piggybacking onto a network through an insecure 802.11b wireless 
configuration 



Operating-system attacks 

Hacking operating systems (OSs) is a preferred method of the bad guys. OSs 
comprise a large portion of hacker attacks simply because every computer 
has one and so many well-known exploits can be used against them. 



Occasionally, some operating systems that are more secure out of the box — 
such as Novell NetWare and the flavors of BSD UNIX — are attacked, and 
vulnerabilities turn up. But hackers prefer attacking operating systems like 
Windows and Linux because they are widely used and better known for their 
vulnerabilities. 

Here are some examples of attacks on operating systems: 

Exploiting specific protocol implementations 
Attacking built-in authentication systems 
Breaking file-system security 
V Cracking passwords and encryption mechanisms 



Application and other specialized attacks 

Applications take a lot of hits by hackers. Programs such as e-mail server 
software and Web applications often are beaten down: 



Part I: Building the Foundation for Ethical Hacking 



pBoo 



V Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol 
(SMTP) applications are frequently attacked because most firewalls and 
r security mechanisms are configured to allow full access to these 
rams from the Internet. 

i>* Malicious software (malware) includes viruses, worms, Trojan horses, 
and spyware. Malware clogs networks and takes down systems. 

Spam (junk e-mail) is wreaking havoc on system availability and storage 
space. And it can carry malware. 

Ethical hacking helps reveal such attacks against your computer systems. 
Parts II through V of this book cover these attacks in detail, along with spe- 
cific countermeasures you can implement against attacks on your systems. 



Obeyinq the Ethical Hacking 
Commandments 

Every ethical hacker must abide by a few basic commandments. If not, bad 
things can happen. I've seen these commandments ignored or forgotten when 
planning or executing ethical hacking tests. The results weren't positive. 



Working ethically 

The word ethical in this context can be defined as working with high profes- 
sional morals and principles. Whether you're performing ethical hacking tests 
against your own systems or for someone who has hired you, everything you 
do as an ethical hacker must be aboveboard and must support the company's 
goals. No hidden agendas are allowed! 

Trustworthiness is the ultimate tenet. The misuse of information is absolutely 
forbidden. That's what the bad guys do. 



Respecting privacy 

Treat the information you gather with the utmost respect. All information 
you obtain during your testing — from Web-application log files to clear-text 
passwords — must be kept private. Don't use this information to snoop into 
confidential corporate information or private lives. If you sense that someone 
should know there's a problem, consider sharing that information with the 
appropriate manager. 



Chapter 1: Introduction to Ethical Hacking 



Involve others in your process. This is a "watch the watcher" system that can 
build trust and support your ethical hacking projects. 

oks 

Not crashing your systems 

One of the biggest mistakes I've seen when people try to hack their own sys- 
tems is inadvertently crashing their systems. The main reason for this is poor 
planning. These testers have not read the documentation or misunderstand 
the usage and power of the security tools and techniques. 

You can easily create DoS conditions on your systems when testing. Running 
too many tests too quickly on a system causes many system lockups. I know 
because I've done this! Don't rush things and assume that a network or spe- 
cific host can handle the beating that network scanners and vulnerability- 
assessment tools can dish out. 

Many security-assessment tools can control how many tests are performed 
on a system at the same time. These tools are especially handy if you need to 
run the tests on production systems during regular business hours. 

You can even create an account or system lockout condition by social engi- 
neering someone into changing a password, not realizing that doing so might 
create a system lockout condition. 

The Ethical Hacking Process 

Like practically any IT or security project, ethical hacking needs to be planned 
in advance. Strategic and tactical issues in the ethical hacking process should 
be determined and agreed upon. Planning is important for any amount of 
testing — from a simple password-cracking test to an all-out penetration test 
on a Web application. 



Formulating your plan 

Approval for ethical hacking is essential. Make what you're doing known and 
visible — at least to the decision makers. Obtaining sponsorship of the project 
is the first step. This could be your manager, an executive, a customer, or 
even yourself if you're the boss. You need someone to back you up and sign 
off on your plan. Otherwise, your testing may be called off unexpectedly if 
someone claims they never authorized you to perform the tests. 



® 




Part I: Building the Foundation for Ethical Hacking 



you re pei 

pBoote 

to ensure 



The authorization can be as simple as an internal memo from your boss if 
you're performing these tests on your own systems. If you're testing for a 

have a signed contract in place, stating the customer's support and 
tion. Get written approval on this sponsorship as soon as possible 
ensure that none of your time or effort is wasted. This documentation is 
your Get Out of Jail Free card if anyone questions what you're doing. 



You need a detailed plan, but that doesn't mean you have to have volumes of 
testing procedures. One slip can crash your systems — not necessarily what 
anyone wants. A well-defined scope includes the following information: 

W Specific systems to be tested 
Risks that are involved 

When the tests are performed and your overall timeline 
How the tests are performed 

How much knowledge of the systems you have before you start testing 

V What is done when a major vulnerability is discovered 

The specific deliverables — this includes security-assessment reports 
and a higher-level report outlining the general vulnerabilities to be 
addressed, along with countermeasures that should be implemented 

When selecting systems to test, start with the most critical or vulnerable 
systems. For instance, you can test computer passwords or attempt social- 
engineering attacks before drilling down into more detailed systems. 

It pays to have a contingency plan for your ethical hacking process in case 
something goes awry. What if you're assessing your firewall or Web applica- 
tion, and you take it down? This can cause system unavailability, which can 
reduce system performance or employee productivity. Even worse, it could 
cause loss of data integrity, loss of data, and bad publicity. 

Handle social-engineering and denial-of-service attacks carefully. Determine 
how they can affect the systems you're testing and your entire organization. 

Determining when the tests are performed is something that you must think 
long and hard about. Do you test during normal business hours? How about 
late at night or early in the morning so that production systems aren't affected? 
Involve others to make sure they approve of your timing. 

The best approach is an unlimited attack, wherein any type of test is possi- 
ble. The bad guys aren't hacking your systems within a limited scope, so why 
should you? Some exceptions to this approach are performing DoS, social- 
engineering, and physical-security tests. 



Don't stop with one security hole. This can lead to a false sense of security. 
Keep going to see what else you can discover. I'm not saying to keep hacking 



Chapter 1: Introduction to Ethical Hacking 



DropBooks 

example, 1 



until the end of time or until you crash all your systems. Simply pursue the 
path you're going down until you can't hack it any longer (pun intended). 



ur goals may be to perform the tests without being detected. For 
example, you may be performing your tests on remote systems or on a remote 
office, and you don't want the users to be aware of what you're doing. Other- 
wise, the users may be on to you and be on their best behavior. 

You don't need extensive knowledge of the systems you're testing — just a 
basic understanding. This will help you protect the tested systems. 

Understanding the systems you're testing shouldn't be difficult if you're hack- 
ing your own in-house systems. If you're hacking a customer's systems, you 
may have to dig deeper. In fact, I've never had a customer ask for a fully blind 
assessment. Most people are scared of these assessments. Base the type of 
test you will perform on your organization's or customer's needs. 

Chapter 19 covers hiring "reformed" hackers. 



Selecting toots 

As with any project, if you don't have the right tools for ethical hacking, accom- 
plishing the task effectively is difficult. Having said that, just because you use 
the right tools doesn't mean that you will discover all vulnerabilities. 

Know the personal and technical limitations. Many security-assessment tools 
generate false positives and negatives (incorrectly identifying vulnerabilities). 
Others may miss vulnerabilities. If you're performing tests such as social- 
engineering or physical-security assessments, you may miss weaknesses. 

Many tools focus on specific tests, but no one tool can test for everything. 
For the same reason that you wouldn't drive in a nail with a screwdriver, you 
shouldn't use a word processor to scan your network for open ports. This is 
why you need a set of specific tools that you can call on for the task at hand. 
The more tools you have, the easier your ethical hacking efforts are. 

Make sure you that you're using the right tool for the task: 

I To crack passwords, you need a cracking tool such as LC4, John the 
Ripper, or pwdump. 

A general port scanner, such as SuperScan, may not crack passwords. 

i>* For an in-depth analysis of a Web application, a Web-application assess- 
ment tool (such as Whisker or Weblnspect) is more appropriate than a 
network analyzer (such as Ethereal). 



Part I: Building the Foundation for Ethical Hacking 




When selecting the right security tool for the task, ask around. Get advice 
from your colleagues and from other people online. A simple Groups search 
ie (www .google .com) or perusal of security portals, such as 
Focus.com, SearchSecurity.com, and ITsecurity.com, often produces 
great feedback from other security experts. 



irom your 
^*%ri(jO0^e 
Qel\J5c 



Hundreds, if not thousands, of tools can be used for ethical hacking — from 
your own words and actions to software-based vulnerability-assessment pro- 
grams to hardware-based network analyzers. The following list runs down 
some of my favorite commercial, freeware, and open-source security tools: 



is Nmap 
is EtherPeek 
iS SuperScan 

QualysGuard 
\S Weblnspect 

\S LC4 (formerly called LOphtcrack) 
\S LANguard Network Security Scanner 
\S Network Stumbler 
\S ToneLoc 



Here are some other popular tools: 



\S 


Internet Scanner 


IS 


Ethereal 


IS 


Nessus 


IS 


Nikto 


IS 


Kismet 


IS 


THC-Scan 



I discuss these tools and many others in Parts II through V when I go into the 
specific hack attacks. Appendix A contains a more comprehensive listing of 
these tools for your reference. 



The capabilities of many security and hacking tools are often misunderstood. 
This misunderstanding has shed negative light on some excellent tools, such 
as SATAN (Security Administrator Tool for Analyzing Networks) and Nmap 
(Network Mapper). 

Some of these tools are complex. Whichever tools you use, familiarize yourself 
with them before you start using them. Here are ways to do that: 



Chapter 1: Introduction to Ethical Hacking 



DropBoofcs- 

anoth 



u 0 Read the readme and/or online help files for your tools. 
Study the user's guide for your commercial tools. 



der formal classroom training from the security-tool vendor or 
another third-party training provider, if available. 

Look for these characteristics in tools for ethical hacking: 

f* Adequate documentation. 

v* Detailed reports on the discovered vulnerabilities, including how they 
may be exploited and fixed. 

Updates and support when needed. 

u* High-level reports that can be presented to managers or nontechie types. 



These features can save you time and effort when you're writing the report. 



Executing the plan 

Ethical hacking can take persistence. Time and patience are important. Be 
careful when you're performing your ethical hacking tests. A hacker in your 
network or a seemingly benign employee looking over your shoulder may 
watch what's going on. This person could use this information against you. 

It's not practical to make sure that no hackers are on your systems before 
you start. Just make sure you keep everything as quiet and private as possi- 
ble. This is especially critical when transmitting and storing your test results. 
If possible, encrypt these e-mails and files using Pretty Good Privacy (PGP) or 
something similar. At a minimum, password-protect them. 

You're now on a reconnaissance mission. Harness as much information as 
possible about your organization and systems, which is what malicious hack- 
ers do. Start with a broad view and narrow your focus: 

1. Search the Internet for your organization's name, your computer and 
network system names, and your IP addresses. 

Google is a great place to start for this. 

2. Narrow your scope, targeting the specific systems you're testing. 

Whether physical-security structures or Web applications, a casual 
assessment can turn up much information about your systems. 

3. Further narrow your focus with a more critical eye. Perform actual 
scans and other detailed tests on your systems. 

4. Perform the attacks, if that's what you choose to do. 



Part I: Building the Foundation for Ethical Hacking 



pBoote 



Evaluating results 



.our results to see what you uncovered, assuming that the vulnerabil- 
en't been made obvious before now. This is where knowledge counts. 
Evaluating the results and correlating the specific vulnerabilities discovered 
is a skill that gets better with experience. You'll end up knowing your systems 
as well as anyone else. This makes the evaluation process much simpler 
moving forward. 

Submit a formal report to upper management or to your customer, outlining 
your results. Keep these other parties in the loop to show that your efforts 
and their money are well spent. Chapter 17 describes this process. 



Moving on 



When you've finished your ethical hacking tests, you still need to implement 
your analysis and recommendations to make sure your systems are secure. 

New security vulnerabilities continually appear. Information systems con- 
stantly change and become more complex. New hacker exploits and security 
vulnerabilities are regularly uncovered. You may discover new ones! Security 
tests are a snapshot of the security posture of your systems. At any time, 
everything can change, especially after software upgrades, adding computer 
systems, or applying patches. Plan to test regularly (for example, once a 
week or once a month). Chapter 19 covers managing security changes. 




Chapter 2 



In This Chapter 

Understanding the enemy 
Profiling hackers 

Understanding why hackers do what they do 
Examining how hackers go about their business 

••••••••••••••••••••••••••••••••••••••••••••••••a 



#^efore you start assessing the security of your own systems, it helps to 
^^know something about the enemies you're up against. Many informa- 
tion-security product vendors and other professionals claim that you should 
protect your systems from the bad guys — both internal and external. But 
what does this mean? How do you know how these bad guys think and work? 

Knowing what hackers want helps you understand how they work. Under- 
standing how they work helps you look at your information systems in a whole 
new way. In this chapter, I describe what you're up against, who's actually 
doing the hacking, and what their motivations and methods are so you're 
better prepared for your ethical hacking tests. 



Thanks to sensationalism, the definition of hacker has transformed from 
harmless tinkerer to malicious criminal. Hackers often state that the general 
public misunderstands them, which is mostly true. It's easy to prejudge what 
you don't understand. Hackers can be classified by both their abilities and 
underlying motivations. Some are skilled, and their motivations are benign; 
they're merely seeking more knowledge. At the other end of the spectrum, 
hackers with malicious intent seek some form of personal gain. Unfortunately, 
the negative aspects of hacking usually overshadow the positive aspects, 
resulting in the stereotyping. 




Historically, hackers have hacked for the pursuit of knowledge and the thrill 
of the challenge. Script kiddies aside, hackers are adventurous and innovative 
thinkers, and are always thinking about exploiting computer vulnerabilities. 



Part I: Building the Foundation for Ethical Hacking 



pBo 



(For more on script kiddies, see "Who Hacks," later in this chapter.) They see 
what others often overlook. They wonder what would happen if a cable were 
gd, a switch were flipped, or lines of code were changed in a program, 
[-school hackers are like Tim the Toolman Taylor — Tim Allen's char- 
acter on the late, great sitcom Home Improvement — thinking mechanical and 
electronic devices can be improved if they're "rewired." More recent evidence 
shows that many hackers are hacking for political, competitive, and even finan- 
cial purposes, so times are changing. 



When they were growing up, hackers' rivals were monsters and villains on 
video game screens. Now hackers see their electronic foes as only that — 
electronic. Hackers who perform malicious acts don't really think about the 
fact that human beings are behind the firewalls and Web applications they're 
attacking. They ignore that their actions often affect those human beings in 
negative ways, such as jeopardizing their job security. 

Hackers and the act of hacking drive the advancement of security technology. 
After all, hackers don't create security holes; they expose and exploit existing 
holes in applications. Unfortunately, security technology advances don't ward 
off all hacker attacks, because hackers constantly search for new holes and 
weaknesses. The only sure-fire way to keep the bad guys at bay is to use behav- 
ior modification to change them into productive, well-adjusted members of 
society. Good luck with that. 



However you view the stereotypical hacker, one thing is certain: Some people 
always will try to take down your computer systems through manual hacking 
or by creating and launching automated worms and other malware. You must 
take the appropriate steps to protect your systems against them. 



Who Hacks 

Computer hackers have been around for decades. Since the Internet became 
widely used in the late 1990s, we've started to hear more and more about hack- 
ing. Only a few hackers, such as John Draper (also known as Captain Crunch) 
and Kevin Mitnick, are well known. Gobs more unknown hackers are looking 
to make a name for themselves. They're the ones to look out for. 

In a world of black and white, it's easy to describe the typical hacker. A gen- 
eral stereotype of a typical hacker is an antisocial, pimple-faced teenage boy. 
But the world has many shades of gray and, therefore, many types of hackers. 
Hackers are human like the rest of us and are, therefore, unique individuals, 
so an exact profile is hard to outline. The best broad description of hackers is 
that all hackers aren't equal. Each hacker has motives, methods, and skills. 
But some general characteristics can help you understand them. 

Not all hackers are antisocial, pimple-faced teenagers. Regardless, hackers 
possess curiosity, bravado, and often very sharp minds. 



Chapter 2: Cracking the Hacker Mindset 



^v^h^^n^r^rnfVc^wi 



Is the government hacking? 



vith another country, some 
governments will wage war via the Internet and 
other computer systems. For example, the U.S. 
government reportedly has launched cyber- 
attacks against its adversaries — such as 
Yugoslavia during the Milosevic crisis in the late 
1990s and in the recent war in Iraq. 

Are we headed toward a digital Pearl Harbor? 
I'm not convinced that we are, but this method 



of waging war is becoming more common as 
technology progresses. Many folks are skepti- 
cal about this as well, and the U.S. govern- 
ment denies most of its involvement. However, 
because the world increasingly relies on com- 
puter and network technology, PCs, and the 
Internet, those avenues may become the launch- 
ing pads or battlegrounds for future conflicts. 



Just like anyone can become a thief, an arsonist, or a robber, anyone can 
become a hacker, regardless of age, gender, or race. Given this diverse profile, 
skills vary widely from one malicious hacker to the next. Some hackers barely 
know how to surf the Internet, whereas others write software that other hack- 
ers and ethical hackers alike depend on. 

Script kiddies: These are computer novices who take advantage of the 
hacker tools and documentation available for free on the Internet but 
don't have any knowledge of what's going on behind the scenes. They 
know just enough to cause you headaches but typically are very sloppy in 
their actions, leaving all sorts of digital fingerprints behind. Even though 
these guys are the stereotypical hackers that you hear about in the news 
media, they often need minimal skills to carry out their attacks. 

Intermediate hackers: These halfway hackers usually know just enough 
to cause serious problems. They know about computers and networks, 
and often use well-known exploits. Some want to be experts; given enough 
time and effort, they can be. 

Elite hackers: These are skilled hacking experts. These are the people 
who write many of the hacker tools, including the scripts and other pro- 
grams that the script kiddies use. These folks write such malware as 
viruses and worms. They can break into systems and cover their tracks. 
They can even make it look like someone else hacked the systems. 

Elite hackers are often very secretive and share information with their 
"subordinates" only when they are deemed worthy. Typically, for lower- 
ranked hackers to be considered worthy, they must possess some unique 
information or prove themselves through a high-profile hack. These hack- 
ers are your worst enemies in information security. Okay, maybe they're 
not as bad as untrained end users, but that's another issue. Fortunately, 
elite hackers are not as plentiful as script kiddies. 

Other hacktivists try to disseminate political or social messages through their 
work. A hacktivist wants to raise public awareness of an issue. Examples of 



Part I: Building the Foundation for Ethical Hacking 



in tne nam 

pBoofe 5 

Chinese f ii 



hacktivism are the Web sites that were defaced with the Free Kevin messages 
in the name of freeing Kevin Mitnick from prison for his famous hacking 
s. Other cases of hacktivism include messages about legalizing 
, protests against the U.S. Navy spy plane that collided with the 
ghter jet in 2001, the common hacker attacks between India and 
Pakistan, and attacks against the U.S. White House Web site over the years. 



Cyberterrorists attack government computers or public utility infrastructures, 
such as power grids and air-traffic-control towers. They crash critical systems 
or steal classified government information. Countries take these threats so 
seriously that many mandate information-security controls in such industries 
as the power industry to protect essential systems against these attacks. 

Hackers for hire are part of organized crime on the Internet. In late 2003, the 
Korean National Police Agency busted the Internet's largest organized hacking 
ring, which had over 4,400 members. Prior to that, police in the Philippines 
busted a multimillion-dollar organized hacking ring that was selling cheap 
phone calls made through phone lines the ring had hacked into. Many of 
these hackers hire themselves out for money — and lots of it! 



Why Hackers Hack 

The main reason hackers hack is because they can! Okay, it goes a little deeper 
than that. Hacking is a casual hobby for some hackers — they just hack to see 
what they can and can't break into, usually testing only their own systems. 
These aren't the folks I'm writing about here. I'm focusing on those hackers 
who are obsessive and often have criminal intent. 

Many hackers get a kick out of outsmarting corporate and government IT and 
security administrators. They thrive on making headlines and being notorious 
cyberoutlaws. Defeating an entity or possessing knowledge makes them feel 
better about themselves. Many of these hackers feed off instant gratification. 
They become obsessed with this feeling. Hackers can't resist the adrenaline 
rush they get when breaking into someone else's systems. Often, the more 
difficult the job is, the greater the thrill. 

The knowledge that malicious hackers gain and the elevated ego that comes 
with that knowledge are like an addiction and a way of life. Some hackers want 
to make your life miserable, and others simply want to be seen or heard. Some 
common hacker motives are revenge, basic bragging rights, curiosity, boredom, 
challenge, vandalism, theft for financial gain, sabotage, blackmail, extortion, and 
corporate espionage. 

Hackers often promote individualism — or at least the decentralization of 
information — because many believe that all information should be free. 
They think cyberattacks are different from attacks in the real world. They 
easily ignore or misunderstand their victims and the consequences of hacking. 



Chapter 2: Cracking the Hacker Mindset 



DropBotfks 

^ber Manv bus 

i 



Many hackers say they don't intend to harm or profit through their bad deeds, 
which helps them justify their work. They often don't look for tangible payoffs, 
ing a point is often a good enough reward for them. 



Many business owners and managers — even some network and security 
administrators — believe that they don't have anything that a hacker wants or 
that hackers can't do much damage if they break in. This couldn't be further 
from the truth. This kind of thinking helps support hackers and their objec- 
tives. Hackers can compromise a seemingly unimportant system to access 
the network and use it as a launching pad for attacks on other systems. 



It's worth repeating that hackers often hack because they can. Some hackers 
go for high-profile systems, but hacking into anyone's system helps them fit 
into hacker circles. Hackers use the false sense of security that many people 
have and go for almost any system they think they can compromise. They 
know that electronic information can be in more than one place at the same 
time. It's tough to prove that hackers took the information and possess it. 

Similarly, hackers know that a simple defaced Web page — however easily 
attacked — is not good for business. The following Web sites show examples 
of Web pages that have been defaced in the past few years: 

If www . 2600 . com/hackecLpages 
www .onething.com/archive 

Hacked sites like these can persuade management and other nonbelievers 
that information threats and vulnerabilities should be addressed. 

Hacking continues to get easier for several reasons: 

Increasing use of networks and Internet connectivity 
V Anonymity provided by computer systems working over the Internet 
v 0 Increasing number and availability of hacking tools 
i>* Computer-sawy children 

Unlikelihood that hackers are investigated or prosecuted if caught 

Although most hacker attacks go unnoticed or unreported, hackers who are 
discovered are often not pursued or prosecuted. When they're caught, hack- 
ers often rationalize their services as being altruistic and a benefit to society: 
They're merely pointing out vulnerabilities before someone else does. 
Regardless, if justice is ever served, it helps eliminate the "fame and glory" 
reward system that hackers thrive on. 

These criminal hackers are in the minority, so don't think that you're up 
against millions of these villains. Many other hackers just love to tinker and 
only seek knowledge of how computer systems work. 



Part I: Building the Foundation for Ethical Hacking 




acking in the name of liberty 



lanynafXerS exmfJTt behaviors that contradict 
what they're fighting for — that is, they fight for 
civil liberties and wantto be left alone, and at the 
same time, they love prying into other people's 
business. Many hackers claim to be civil liber- 
tarians supporting the principles of personal pri- 
vacy and freedom. However, they act in an 
entirely different way by intruding on the privacy 
and property of others. They often steal the 
property and rights of others, yet are willing to 



go to great lengths to get their own rights back 
from anyone who tries to take them away. 

The case against copyrighted materials and 
the Recording Industry Association of America 
(RIAA) is a classic example. Hackers have gone 
to great lengths to prove a point, from defacing 
the Web sites of organizations that support copy- 
rights to illegally sharing music by using other- 
wise legal mediums such as Kazaa, Gnutella, 
and Morpheus. 



Planning and Performing Attacks 

Hacking styles vary widely: 

v 0 Some hackers prepare far in advance of a large attack. They gather 
small bits of information and methodically carry out their hacks, as I 
outline in Chapter 4. These hackers are more difficult to track. 

V Other hackers — usually, the inexperienced script kiddies — act 

before they think things through. For example, such hackers may try to 
telnet directly into an organization's router without hiding their identi- 
ties. Other hackers may try to launch a DoS attack against a Microsoft 
Exchange e-mail server without first determining what version of 
Exchange is running or what patches are installed. 

These are the guys who usually get caught. 




Although the hacker underground is a community, many of the hackers — 
especially the elite hackers — don't share information with the crowd. Most 
hackers do much of their work independently from other hackers. Hackers 
who network with one another use private bulletin board systems (BBSs), 
anonymous e-mail addresses, hacker Web sites, and Internet Relay Chat (IRC). 

You can log on to many of these sites to see what hackers are doing. 

Whatever approach they take, most malicious hackers prey on ignorance. 
They know the following aspects of real-world security: 



i>* The majority of systems that hackers want to attack aren't managed 
properly. The computer systems aren't properly patched, hardened, and 
monitored as they should be. Hackers often can attack by flying below 
the average radar of the firewalls, IDSs, and authentication systems. 



Chapter 2: Cracking the Hacker Mindset 



ipBooks 



Most network and security administrators simply can't keep up with the 
deluge of new vulnerabilities. 

mation systems grow more complex every year. This is yet another 
on why overburdened administrators find it difficult to know what's 
happening across the wire and on the hard drives of their systems. 




Time is a hacker's friend — and it always seems to be on the hacker's side. By 
attacking through computers rather than in person, hackers have more con- 
trol over when they can carry out their attacks. 

W Hack attacks can be carried out slowly, making them hard to detect. 

v 0 They're frequently carried out after typical business hours — often, in 
the middle of the night. Defenses are often weaker at night — with less 
physical security and less intrusion monitoring — when the typical net- 
work administrator (or security guard) is sleeping. 

If you want detailed information on how some hackers work or want to keep 
up with the latest hacker methods, several magazines are worth checking out: 

V 2600 — The Hacker Quarterly magazine (www . 2600 .com). I've found gobs 
of great information in 2600. 

V PHRACK (www .phrack.org). 

Computer Underground Digest (www . soci .niu.edu/~cudigest). 

Also, check out Lance Spitzner's Web site www . tracki ng- hackers . com for 
some great information on using honeypots to track hacker behavior. 

Hackers learn from their hacking mistakes. Every mistake moves them one 
step closer to breaking into someone's system. They use this wisdom when 
carrying out future attacks. 



Maintaining Anonymity 

Smart hackers want to be as low-key as possible. Covering their tracks is a 
priority. In fact, success often depends on it. They don't want to raise suspi- 
cion so they can come back and access the systems in the future. Hackers 
often remain anonymous by using one of the following techniques: 



Borrowed or stolen dial-up accounts from friends or previous employers 
Public computers at libraries, schools, or kiosks at the local mall 
Internet proxy servers or anonymizer services 
i>* Anonymous or disposable e-mail accounts from free e-mail services 



Part I: Building the Foundation for Ethical Hacking 



■-^ tr* Unsec 

pbocfe 



Open e-mail relays 

Unsecured computers — also called zombies — at other organizations 
stations or servers on the victim's own network 



If hackers use enough steppingstones for their attacks, they are hard to trace. 




Chapter 3 

^ Developing Your Ethical 

Hacking Plan 

In This Chapter 



Setting ethical hacking goals 

Selecting which systems to test 

Developing your ethical hacking testing standards 

Examining hacking tools 






i 


ZM s an ethical hacker, you must plan your ethical hacking efforts before you 
* \ start. A detailed plan doesn't mean that your testing must be elaborate. 



It just means that you're very clear and concise on what's done. Given the 
seriousness of ethical hacking, make this as structured a process as possible. 



Even if you're just testing a single Web application or workgroup of comput- 
ers, it's critical to establish your goals, define and document the scope of 
what you'll be testing, determine your testing standards, and gather and 
familiarize yourself with the proper tools for the task. This chapter covers 
these steps to help you create a positive ethical hacking environment so you 
can set yourself up for success. 



Getting \lour Plan Approved 

Getting approval for ethical hacking is critical. First, obtain project sponsor- 
ship. This approval can come from your manager, an executive, a customer, 
or yourself (if you're the boss). Otherwise, your testing may be canceled sud- 
denly, or someone can deny authorizing the tests. There can even be legal 
consequences for unauthorized hacking. Always make sure that what you're 
doing is known and visible — at least to the decision-makers. Chapter 20 
outlines ten tips for getting upper management's buy-in on your security 
initiatives. 



Part I: Building the Foundation for Ethical Hacking 



If you're an independent consultant or have a business with a team of ethical 
hackers, consider getting professional liability (also known as errors and 
fSFli&i&iP) insurance from an agent who specializes in business insurance 
yjbyV^^. This kind of insurance can be expensive, but it can be well worth it. 

The authorization can be as simple as an internal memo from upper manage- 
ment if you're performing these tests on your own systems. If you're perform- 
ing testing for a customer, you must have a signed contract in place, stating 
the customer's support and authorization. Get written approval as soon as 
possible to ensure that your time and efforts are not wasted. This documen- 
tation is your security if anyone questions what you're doing. 



Establishing \lour Goals 

Your ethical hacking plan needs goals. The main goal of ethical hacking is to 
find vulnerabilities in your systems so you can make them more secure. You 
can then take this a step further: 

IV Define more specific goals. Align these goals with your business 
objectives. 
V Create a specific schedule with start and end dates. These dates are 
critical components of your overall plan. 

Before you begin any ethical hacking, you absolutely, positively need every- 
thing in writing and signed-off on. 

Document everything, and involve upper management in this process. Your 
best ally in your ethical hacking efforts is a manager who supports what 
you're doing. 

The following questions can start the ball rolling: 

V Does ethical hacking support the mission of the business and its IT and 
security departments? 

What business goals are met by performing ethical hacking? 
These goals may include the following: 

• Prepping for the internationally accepted security framework of 
ISO 1 7799 or a security seal such as SysTrust or WebTrust 

• Meeting federal regulations 

• Improving the company's image 

V How will ethical hacking improve security, IT, and the general business? 
What information are you protecting? 





Chapter 3: Developing Your Ethical Hacking Plan 



This could be intellectual property, confidential customer information, 
or private employee information. 



What specific deliverables will there be? 

Deliverables can include anything from high-level executive reports to 
detailed technical reports and write-ups on what you tested along with 
the outcomes of your tests. You can deliver specific information that is 
gleaned during your testing, such as passwords and other confidential 
information. 

What specific outcomes do you want? 

Desired outcomes include the justification for hiring or outsourcing secu- 
rity personnel, increasing your security budget, or enhancing security 
systems. 

People within your organization may attempt to keep you from performing 
your ethical hacking plans. The best antidote is education. Show how ethical 
hacking helps support the business in everyone's favor. 

After you know your goals, document the steps to get there. For example, if 
one goal is to develop a competitive advantage to keep existing customers 
and attract new ones, determine the answers to these questions: 

i>* When will you start your ethical hacking? 

Will your ethical hacking be blind, in which you know nothing about the 
systems you're testing, or a knowledge-based attack, in which you're 
given specific information about the systems you're testing such as IP 
addresses, hostnames, and even usernames and passwords? 

«>* Will this testing be technical in nature or involve physical security 
assessments or even social engineering? 

]S Will you be part of a larger ethical hacking team, often called a tiger team 
or red team? 

Will you notify your customers of what you're doing? If so, how? 

Customer notification is a critical issue. Many customers appreciate that 
you're taking steps to protect their information. Approach the testing in 
a positive way. Don't say, "We're breaking into our systems to see what 
information of yours is vulnerable to hackers." Instead, you can say that 
you're assessing the overall security of your systems so the information 
is as secure as possible from the bad guys. 

How will you notify customers that the organization is taking steps to 
enhance the security of their information? 




much money, time, and effort are you and your organization willing 
>end on ethical hacking? 



**" What measurements can ensure that these efforts are paying off? 



Part I: Building the Foundation for Ethical Hacking 



Establishing your goals takes time, but you won't regret it. These goals are 
your road map. If you have any concerns, refer to these goals to make sure 
stay on track. 



pBodto 

determining What Systems to Hack 



You probably don't want — or need — to assess the security of all your sys- 
tems at the same time. This could be quite an undertaking and could lead to 
problems. I'm not saying you shouldn't eventually assess every computer and 
application you have. I'm just suggesting that whenever possible, you should 
break your ethical hacking projects into smaller chunks to make them more 
manageable. You may decide which systems to test based on a high-level risk 
analysis, answering questions such as: 



V What are your most critical systems? Which systems, if hacked, would 
cause the most trouble or the greatest losses? 

Which systems appear to be most vulnerable to attack? 

*** Which systems are not documented, are rarely administered, or are the 
ones you know the least about? 



After you've established your overall goals, decide which systems to test. 
This step helps you carefully define a scope for your ethical hacking so that 
you not only establish everyone's expectations up front, but also better esti- 
mate the time and resources for the job. 

The following list includes systems and applications that you may consider 
performing your hacking tests on: 



f* Routers 
i>* Firewalls 

t<" Network infrastructure as a whole 

Wireless access points and bridges 
**" Web, application, and database servers 
V E-mail and file/print servers 

Workstations, laptops, and tablet PCs 

Mobile devices (such as PDAs and cell phones) that store confidential 
information 

u* Client and server operating systems 

f Client and server applications, such as e-mail or other in-house systems 



Chapter 3: Developing Your Ethical Hacking Plan 



a sma 

ipBocft 

decisi 



What specific systems you should test depends on several factors. If you have 
a small network, you can test everything from the get-go. You may consider 
st public-facing hosts such as e-mail and Web servers and their 
:d applications. The ethical hacking process is flexible. Base these 
decisions on what makes the most business sense. 




Start with the most vulnerable systems, and consider the following factors: 

Where the computer or application resides on the network 
Which operating system and application(s) it runs 
The amount or type of critical information stored on it 

If you're hacking your own systems or a customer's systems, a previous 
security-risk assessment or vulnerability test may already have generated 
this information. If so, that documentation may help identify systems for 
more testing. 

Ethical hacking goes a few steps beyond the higher-level information risk 
assessments and vulnerability testing. As an ethical hacker, you first glean 
information on all systems — including the organization as a whole — and 
then further assess the systems that appear most vulnerable. I discuss the 
ethical hacking methodology in more detail in Chapter 4. 

Another factor to help you decide where to start is to assess the systems that 
have the greatest visibility. For example, focusing on a database or file server 
that stores customer or other critical information may make more sense — at 
least initially — than concentrating on a firewall or Web server that hosts 
marketing information about the company. 



Creating Testing Standards 

One miscommunication or slip-up can send your systems crashing during 
your ethical hacking tests. No one wants that to happen. To prevent mishaps, 
develop and document testing standards. These standards should include 

f When the tests are performed, along with the overall timeline 

v 0 What tests are performed 

i>* How the tests are performed, and from where 

i>* How much knowledge of the systems you acquire in advance 

f* What you do when a major vulnerability is discovered 

This is a list of general best practices. You can apply more standards for your 
situation. 



Part I: Building the Foundation for Ethical Hacking 



Timing 



pBoote 




they say that it's "all in the timing." This is especially true when 
hg ethical hacking tests. Make sure that the tests you're performing 
minimize disruption to business processes, information systems, and people. 
You want to avoid situations like miscommunicating the timing of tests and 
causing a DoS attack against a high-traffic e-commerce site in the middle of 
the day, or forcing yourself or others to perform password-cracking tests in 
the middle of the night. It's amazing what a 12-hour time difference can make! 
Everyone in the project should agree on a detailed timeline before you begin. 
This puts everyone on the same page and sets correct expectations. 

Notify any Internet Service Providers (ISP) or Application Service Providers 
(ASPs) involved before performing any tests across the Internet. This way, 
ISPs and ASPs will be aware of the testing going on, which will minimize the 
chance that they will block your traffic if they suspect malicious behavior 
that shows up on their firewalls or Intrusion Detection Systems (IDSs). 

The timeline should include specific short-term dates and times of each test, 
the start and end dates, and any specific milestones in between. You can 
develop and enter your timeline into a simple spreadsheet or Gantt chart, or 
you can include the timeline as part of your initial customer proposal and 
contract. For example, you could use a timeline similar to the following: 



Test Performed 


Tester 




Start Time 


Projected End Time 


War dial 


Tommy Tinkei 


July 1,6:00 a.m. 


July 1,10:00 a.m. 


Password cracking 


Amy Trusty 




July 2, 12:00 p.m. 


July 2, 5:00 p. 


m. 



This timeline will keep things simple and provide a reference during testing. 

Specific tests 

You may have been charged with performing a general penetration test, or you 
may want to perform specific tests, such as cracking passwords or war-dialing 
into a network. Or you might be performing a social-engineering test or assess- 
ing the Windows operating systems on the network. However you're testing, 
you may want to conceal the specifics of the testing to keep what you're doing 
covert or to protect your methodologies. In fact, your manager or customer 
may not want the details. Either way, document and make known at a high level 
what you're doing. This can help eliminate any potential miscommunication 
and keep you out of hot water. 



A good way to provide evidence of what was tested, when it was tested, and 
more is to enable logging on the systems you're testing. 



Chapter 3: Developing Your Ethical Hacking Plan 



Sometimes, you may know the general tests that you're performing, but if you're 
using automated tools, it may be next to impossible to understand completely 



xm to^t you're performing. This is especially true if the software you're using 



Ayjjvg^eal-time vulnerability-testing updates from the vendor every time you 
run it. The potential for frequent updates underscores the importance of read- 
ing the documentation and readme files that come with the tools you're using. 

I have experienced surprising vulnerability updates in the past. I was perform- 
ing an automated assessment on a customer's Web site — the same test I had 
just performed the previous week. The customer and I had scheduled the test 
date and time in advance. What I didn't know is that the software vendor made 
some changes to its Web form submission tests, and I flooded the customer's 
Web application, creating a DoS condition. 

Luckily, this DoS condition occurred after business hours and didn't affect 
the customer's operations. However, the customer's Web application was 
coded to generate an alert e-mail for every form submission. The application 
developer and company's president received 4,000 e-mails in their inboxes 
within about 10 minutes — ouch! I was lucky that the president was tech- 
sawy and understood the situation. It's important to have a contingency plan 
in case a situation like this occurs. 



It may be good to have some knowledge of the systems you're testing, but it's 
not required. However, a basic understanding of the systems you're hacking 
can protect you and others. Obtaining this knowledge shouldn't be difficult if 
you're hacking your own in-house systems. If you're hacking a customer's 
systems, you may have to dig a little deeper into how the systems work so 
you know what's what. That's how I've always done it. In fact, I've never had 
a customer ask for a fully blind assessment. Most people are scared of these 
assessments. This doesn't mean that blind assessments aren't valuable. The 
type of assessment you carry out depends on your specific needs. 

The best approach is to plan on unlimited attacks, wherein any test is possible. 
The bad guys aren't hacking your systems within a limited scope, so why 
should you? 

Consider whether the tests should be undetected. This isn't required but 
should be considered, especially for social-engineering and physical security 
tests. I outline specific tests for those subjects in Chapter 5 and Chapter 6. 

A false sense of vigilance can be created if too many insiders know about your 
testing which can end up negating the hard work you're putting into this. 
This doesn't mean you shouldn't tell anyone. Always have a main point of 
contact within the organization — preferably someone with decision-making 
authority — that both you and all employees can contact if and when some- 
thing goes wrong. 




Blind Versus knortiedqe assessments 



Part I: Building the Foundation for Ethical Hacking 



Location 



you're performing dictate where you must run them from. Your goal 
your systems from locations where malicious hackers can access 
the systems. You can't predict whether you'll be attacked by a hacker from 
outside or inside your network, so cover all your bases. Combine external 
(public Internet) tests and internal (private network) tests. 

You can perform some tests, such as password cracking and network-infra- 
structure assessments, from the comfort of your office — inside the network. 
But it may be better to have a true outsider perform other tests on routers, 
firewalls, and public Web applications. 

For your external hacks that require network connectivity, you may have to 
go off-site (a good excuse to work from home) or use an external proxy server. 
Better yet, if you can assign an available public IP address to your computer, 
plug into the network on the outside of the firewall for a hacker's-eye view of 
your systems. Internal tests are easy because you need only physical access 
to the building and the network. 



Reacting to major exploits that you find 

Determine ahead of time whether you'll stop or keep going when you find a 
critical security hole. Your manager or your customer may not ask you to, 
but I think it's best to keep going to see what else you can discover. I'm not 
saying to keep hacking until the end of time or until you crash all your sys- 
tems. Simply pursue the path you're going down until you can't hack it any 
longer (pun intended). 



Sitty assumptions 

You've heard what you make of yourself when you assume things. Even so, 
you must make assumptions when you hack your systems. Here are some 
examples of those assumptions: 

Computers, networks, and people are available when you're testing. 
W You have all the proper hacking tools. 

The hacking tools you're using won't crash your systems. 
W Your hacking tools actually work. 
V You know all the risks of your tests. 

You should document all assumptions and have management or your cus- 
tomer sign off on them as part of your overall approval process. 



Chapter 3: Developing Your Ethical Hacking Plan 



Selecting Toots 



ipBooks 

vou're ru 



ired security-assessment tools (hacking tools ) depend on the tests 
you're running. You can perform some ethical hacking tests with a pair of 
sneakers, a telephone, and a basic workstation on the network. However, 
comprehensive testing is easier with hacking tools. 

Not only do you need an arsenal of tools, but you should also use the right 
tool for the task: 

f" If you're cracking passwords, a general port scanner such as SuperScan 
or Nmap may not do the trick. For this task, you need a tool such as LC4, 
John the Ripper, or pwdump. 

V If you're attempting an in-depth analysis of a Web application, a Web- 
application assessment tool (such as Nikto or Weblnspect) is more 
appropriate than a network analyzer such as Ethereal. 

If you're not sure what tools to use, fear not. Throughout this book, I intro- 
duce a wide variety of tools — both free and commercial — that you can use 
to accomplish your tasks. 

You can choose among hundreds, if not thousands, of tools for ethical 
hacking — everything from your own words and actions to software-based 
vulnerability-assessment programs to hardware-based network analyzers. 
Here's a rundown of some of my favorite commercial, freeware, and open- 
source security tools: 

©stake LOphtcrack (now called LC4) 
i>* Ethereal 

Foundstone SuperScan 
Qualys QualysGuard 
GFI LANguard Network Security Scanner 
John the Ripper 
Network Stumbler 

V Nessus 

V Nikto 
Nmap 

\S Pwdump2 

SPI Dynamics Weblnspect 
* THC-RUT 

V ToneLoc 



Part I: Building the Foundation for Ethical Hacking 



l-v if Wild 

pBooKs 



*>* Wellenreiter 

WildPackets EtherPeek and AiroPeek 



these tools, including details on how to use many of them, in Parts II 
through V when I cover specific hack attacks. Appendix A contains a more 
comprehensive listing of these tools for your reference. 

The capabilities of many security and hacking tools are often misunderstood. 
This misunderstanding has shed negative light on some excellent tools, such 
as SATAN (Security Administrator Tool for Analyzing Networks) and Nmap 
(Network Mapper). It's important to know what each tool can and can't do 
and how to use each one. I suggest reading the manual and other help files. 
Unfortunately, some tools have limited documentation, which can be pretty 
frustrating when you're trying to use those tools. You can search newsgroups 
and message boards and post a message if you're having trouble with a tool. 

Hacking tools can be hazardous to your network's health. Be careful when 
using them. Always make sure that you understand what every option does 
before you use it. Try your tools on test systems if you're not sure how to use 
them. These precautions help prevent DoS conditions and loss of data 
integrity and availability on your production systems. 

Look for these characteristics in the tools you select for ethical hacking: 



Adequate documentation. 

V Detailed reports on the vulnerabilities, including how they may be 
exploited and fixed. 

V Updates and support when needed. 

High-level reports that can be presented to managers or other nontechie 
types. These reports can save you time and effort when you're writing 
the report. I cover the reporting process in Chapter 17. 



Know the limitations of your tools and of yourself. Many security-assessment 
tools generate false positives — alerting to a vulnerability when it doesn't 
really exist. Some even generate false negatives, which means they miss the 
vulnerabilities altogether. Likewise, if you're performing social-engineering 
tests or physical-security assessments, it's only human to miss specific 
vulnerabilities. 



You may despise some "popular" freeware and open-source hacking tools. If 
these tools end up causing you more headaches than they're worth or don't 
do what you need them to do, consider purchasing commercial alternatives. 
They're often easier to use and typically generate better reports faster — 
especially high-level executive reports. Some commercial tools are quite 
expensive, but their ease of use and functionality may justify the cost. 



Chapter 4 

0C Hacking Methodology 



In This Chapter 

Examining steps for successful ethical hacking 

Gleaning information about your organization from the Internet 

Scanning your network 

Looking for vulnerabilities 

•••••••••••••••••••••••••••••••••••i 



efore you start testing your systems, plan a basic methodology. Ethical 
hacking involves more than just penetrating and patching. Proven tech- 
niques can help guide you along the hacking highway and ensure that you 
end up at the right destination. Planning a methodology that supports your 
ethical hacking goals is what separates the professionals from the amateurs. 



Setting the Stage 

In the past, ethical hacking was mostly a manual process. Now, tools can 
automate various tasks. These tools allow you to focus on performing the 
tests instead of on your testing methods. However, it's important to follow a 
general methodology and understand what's going on behind the scenes. 





Ethical hacking is similar to beta testing software. Think logically — like a 
programmer — dissecting and interacting with all the network components 
to see how they work. You gather information — often small pieces — and 
assemble the pieces of the puzzle. You start at point A with several goals in 
mind, hack (repeating many steps along the way), and move closer until you 
discover security vulnerabilities at point B. 

The process that ethical hacking is built around is basically the same as what 
a malicious hacker would use. The goals and how you achieve them are dif- 
ferent. In addition, as an ethical hacker, you will eventually attempt to assess 
all information-security vulnerabilities and properly address them, rather 
than run a single exploit. Today's attacks can come from any angle against 
any system, not just from the perimeter of your network and the Internet. 
Test every possible entry point, including partner, vendor, and customer 
networks, as well as home users, wireless LANs, and modems. 



Part I: Building the Foundation for Ethical Hacking 



When you start rolling with your ethical hacking, keep detailed logs of every 
test you perform, every system you test, and your results. This information 
you do the following: 

Track what worked in previous tests and why. 

Help prove that you didn't maliciously hack the systems. 

V Correlate your testing with intrusion-detection systems and other log 
files if questions arise. 

In addition to taking general notes, it's also helpful to take screen captures of 
your results whenever possible. These will come in handy later if you need to 
show proof of what occurred, as well as when you're generating your final 
report. Chapter 1 lists the general steps of ethical hacking. 

These steps don't include specific information on the low-tech hacking methods 
that you will use for social engineering and assessing physical security, but 
the techniques are basically the same. I cover these methods in more detail 
in Chapters 5 and 6. 

Your main task is to simulate information-gathering and system compromises 
carried out by a hacker. This can be either a partial attack on one computer 
or a comprehensive attack against the entire organization. Generally, you're 
looking for what both inside and outside hackers see. You want to assess 
internal systems (processes and procedures that involve computers, net- 
works, people, and physical infrastructures). Look for vulnerabilities; check 
how all your systems interconnect and how private systems and information 
are protected from untrusted elements. 




If you're performing ethical hacking for a customer, you may go the blind- 
assessment route and start with just the company name and no other infor- 
mation that gives you a leg up, such as: 





IP addresses 


IS 


Host names 


)S 


Software versions 


)S 


Firewall rules 


)S 


Phone numbers 


IS 


Employee names 



This blind-assessment approach allows you to start from ground zero and 
gives you a better sense of what information hackers can access publicly. 




As an ethical hacker, you may not have to worry about covering your tracks 
or evading intrusion-detection systems, because everything you're doing is 
legitimate. But then again, one of your goals may be to test systems in a stealthy 



Chapter 4: Hacking Methodology 



)pBoote 



fashion. I discuss techniques that hackers use to conceal their actions in later 
chapters and outline some countermeasures for them as well. I don't discuss 
your tracks in the overall ethical hacking methodology. 



Seeing What Others See 




Your reconnaissance mission can turn up a ton of information about your 
organization and systems that the whole world can see. This process is often 
called footprinting. Here's how to gather the information: 

V 0 Start by using a Web browser to search the Web for information about 
your organization. 

With the resources available on the Internet, you can gather information 
until the end of time. Unless you're really bored or trying to take advan- 
tage of AOL's introductory offer to stay online for free for 23 hours a day 
I don't recommend it! 

Discover more-specific information about your systems from a hacker's 
viewpoint. You can determine this information by running network scans, 
probing ports, and assessing vulnerability. 



Whether you're searching generally or probing more technically, you ulti- 
mately should limit the amount of information you gather based on what's 
reasonable for you. You may spend an hour, a day, or a week gathering this 
information — it all just depends on how large your organization is and the 
complexity of your information systems. 



Gathering public information 

The amount of information you can passively gather usually is staggering. 
This information is all over the Internet. It's your job to find out what every- 
one knows about you. This information positions hackers to target specific 
areas, including departments and individuals. 

Web search 

Performing a Web search or simply browsing your Web site can turn up the 
following information: 

W Employee names and contact info 

*** Important company dates 

f Incorporation filings for private companies 



Part I: Building the Foundation for Ethical Hacking 



I— ^ tr* Press 

pbocfe 



SEC filings for public companies 

Press releases on moves, organizational changes, and new products 




ers and acquisitions 
i>* Patents and trademarks 
*** Presentations, articles, and Webcasts 

My favorite tool — the favorite of many hackers — is Google (www .google, 
com). It ferrets out information — from word-processing documents to graph- 
ics files — on any publicly accessible computer. It's free, too! There are entire 
books on using Google. Appendix A lists my favorite resources. With Google, 
you can search the Internet several ways: 



V By typing keywords: This often reveals dozens and sometimes hun- 
dreds of pages of information — such as files, phone numbers, and 
addresses — that you never guessed were available. 

V By performing more advanced Web searches: Google's advanced search 
options can find sites that link back to your company's Web site. This 
type of search often reveals a lot of information about partners, vendors, 
clients, and other affiliations. 

V By using switches to dig deeper into a Web site: For example, if you 
want to find a certain word or file on your Web site, simply enter a line 
like one of the following into Google: 

si te : www .your_doma in . com keyword 
si te: www .your_domai n .com fi lename 



Web emitting 

Web-crawling utilities such as BlackWidow can mirror your Web site by down- 
loading every publicly accessible file from it. You can then inspect 

v 0 The Web site layout and configuration offline. 

The HTML source code of Web pages. 

V Comment fields. These fields contain such information as names and 
e-mail addresses of the developers and internal IT personnel, server 
names, software versions, and internal addressing schemes. 

Web sites 

These Web sites may provide specific information about your organization: 
Government and business Web sites: 



• www . hoovers .com and fi nance .yahoo .com for detailed informa- 
tion about public companies 



Chapter 4: Hacking Methodology 



• www .sec . gov/edgar . shtml for SEC filings on public companies 
■— ^ I | • www .uspto.gov for patent and trademark registrations 

ipBooks 



The Web site for your state's Secretary of State or similar organiza- 
tion for incorporation and corporate officer information 

v 0 Background checks through companies such as ChoicePoint 

(www . choi cepoi nt . com) and USSearch (www . ussearch . com) 



Mapping the netu/ork 

When you're mapping out your network, you can search public databases 
and resources to see what the hackers know about you. 

Whois 

The best starting point is to perform a Whois lookup by using any one of the 
Whois tools available on the Internet. Whois is the tool you've most likely 
used to check whether a particular Internet domain name is available. 

For ethical hacking, Whois provides information that can give a hacker a leg 
up to start a social-engineering attack or to scan your network: 

Iu* Internet domain-name information, such as contact names and addresses 
is* DNS servers responsible for your domain 

You can look up Whois information at one of the following places: 

is* A domain registrar's site, such as www . networks ol uti ons . com or 
www .registerfly.com. 

An ISP's tech-support page. 

My favorite Whois tool is Sam Spade (www . samspade .org). You can use its 
Web site or download its Windows-based tool, shown in Figure 4-1. 

You can run DNS queries directly from the site or download the site's Windows- 
based tool and run it from your PC. Sam Spade can 

Display general domain-registration information 

f" Show which host handles e-mail (the Mail Exchanger or MX record) for a 
domain 

i>* Determine whether the host is listed on some spam blacklists 



Part I: Building the Foundation for Ethical Hacking 



Go Bookmarks Tools Window Help 




Figure 4-1: 

The Sam 
Spade 
graphical 
interface. 



_ « X 





Customer Name: 


Average Joe User 




Date Range: 




11/3012003 - 01 131/2004 






Template Title: 


Executive Report 




Trend Analysis: 




Last 8 weeks 






IPs Scanned: 


29 




include ['etailed F:e:i..lt:' 




No 






Total Scans: 


33 








Host 






Summary of Vulnerabilities 










♦ 83 □ 






^ 3.8 


by Status 


by Severity 


5 Biggest Categories 


Status 


Vulnerabilities 




Vulnerabilities 




Category 


Vulnerabilities 






475 


5 18 + 4 □ 


Information gathering 


120 


+ 15 □ 


Active 100 


4 x -7 a 


TCP/IP 


91 


+ 12 


Re-Opened 0 


3 


72 


+ 13 □ 


SMMP 


73 


o - 


Fixed 0 


2 


155 


• 30 


General remote services 


es 


<■ 14 


Changed 


475 


1 


300 


+ 29 O 


SMB 1 NETBIOS 


54 


+ 17 □ 





Number of Vulnerabilities by Severity 




Your network bad: 

■ 18 Severny 5 (Urgent) 

■ 30 severity 4 (Cntlced) 

□ 72 Severny 3 (Serious) 

□ 155 Severny 2 (Medium) 

□ 300 Severnyt (Minimal) 
575 Total 



,i* .'Si Done 



The following list runs down various lookup sites for other categories: 

V Government: whoi s . ni c . gov 
Military: whois.nic.mil 

AfriNIC: www .afrinic.org (emerging Regional Internet Registry for 
Africa) 

jV APNIC: www .apnic. net/search/ index. html (Regional Internet 
Registry for the Asia Pacific Region) 

ARIN: www . ar i n. net/who is/index. html (Regional Internet Registry 
for North America, a portion of the Caribbean, and subequatorial Africa) 

LACNIC: Latin American and Caribbean Internet Addresses Registry 

www . 1 acni c . net 

f RIPE Network Coordination Centre: www . ri pe . net/db/whoi s/ 

whoi s . html (Europe, Central Asia, African countries north of the 
equator, and the Middle East) 

Al 1 doma i ns . com offers a reverse Whois service called D-Tective. This paid 
service finds specific Internet domains for a domain name, a phone number, 
or an address. 



Chapter 4: Hacking Methodology 



i ne uoot 

)pBocfe 



Google groups 

The Google Groups at groups. google. com can reveal surprising public 
information. Search for such information as your hostnames, IP 
tWrfeSses, and usernames. You can search hundreds of millions of Usenet 
posts back to 1981 for public and often very private information. 





You might find some information such as the following that you didn't realize 
was being made public: 



is* A tech-support or similar message that divulges too much information 
about your systems. Many people who post messages to Usenet don't 
realize that their messages are shared with the world. 

V Disgruntled employees or customers who have posted confidential infor- 
mation about your company. 



A few years ago, I was helping some folks at an Internet startup company 
select a telephone service vendor. I searched Google Groups for a vendor 
they were interested in and turned up some interesting information about 
the telephone service's network. Apparently, its network administrator had 
posted some messages to a tech-support site that revealed his full name and 
e-mail address, specific server names, IP addresses, and network configura- 
tion information of its internal systems. My customer used another vendor. 

If you discover that confidential information is posted about your company, 
you may be able to get it removed. Check out the Google Groups help page at 

groups, google.com/googlegroups/help. html for details. 

Privacy policies 

Check your Web site's privacy policy. A good practice is to disclose basic 
information about how user information is protected. 

Make sure that the people writing privacy policies don't divulge details about 
your information-security infrastructure. An Internet startup businessman 
once contacted me about business opportunities. During the conversation, 
he was bragging about his company's security systems to ensure the privacy 
of client information. I went to his Web site to check out his privacy policy. 
He had posted the brand and model of firewall he was using. Not a good idea! 



Scanning Systems 



Active information gathering produces more details about your network and 
helps you see your systems from a hacker's perspective. For instance, you can 



Part I: Building the Foundation for Ethical Hacking 



otner 

pBooksr. 

and ii 



**" Use the information provided by your Whois lookups and start testing 
other closely related IP addresses and host names. When you map out - 
erate — your network, you see how your systems are laid out. 
includes determining IP addresses, host names (both external 
and internal), running protocols, open ports, and running services 
and applications. 

V Scan your internal hosts — if they are within the scope of your testing. 
These hosts may not be visible to outsiders, but you should test them. 
The hacker may be on the inside! 




If you're not completely comfortable scanning your systems, consider first 
using a lab with test systems or a system running virtual-machine software 
such as VMware Workstation or Microsoft's Virtual PC. Some hacking tools 
may not work as designed when you run them on virtual-machine software. If 
you have trouble getting the software to load or hosts to respond, you may 
have to run your tests against physically separate computers. 



Hosts 

Scan and document specific hosts that are reachable from the Internet. Start 
by pinging either specific host names or IP addresses with one of these: 

V The basic ping utility that's built into your operating system 

f A third-party utility that allows you to ping multiple addresses at the 
same time, such as SuperScan (www . f oundstone . com) and NetScanTools 
Pro (www .netscantools .com) for Windows and fping for UNIX (which 
allows you to ping more than one address) 

The site www . what i smyi p . com shows how your gateway IP address appears 
on the Internet. Just browse to that site. Your outermost public IP address 
(your firewall or router — preferably not your local computer) appears. 



Modems and open ports 

Scan for modems and open ports by using network-scanning tools: 

i^* Check for unsecured modems with war-dialing software, such as ToneLoc, 
PhoneSweep, and THC-Scan. I cover war dialing in Chapter 8. 

f* Scan network ports with SuperScan or Nmap (www . i insecure .org/ 
nma p). You can use a happy-clicky-GUI version made for Windows called 
NMapWin, shown in Figure 4-2. See Chapter 9 for details. 

Listen to network traffic with a network analyzer such as Ethereal. I cover 
this topic in various chapters throughout the book. 



Chapter 4: Hacking Methodology 



DropBoofe 



Figure 4-2: 

The 
NMapWin 
graphical 
interface. 




| Discover j Options J Timing | Files | Service | Win32 | 

— rSc; 



Scan 
Mode 
C Conned 
O SYN Stealth 
<~ FIN Stealth 



r Null Scan C Window Scan 
l" XmasTtee C RCPScan 
t~ IP Scan r List Scan 



Scan Option.: 
W Poit Range 
|M10 

T Device 



<~ Ping Sweep C idle Scan 
<~ UDPScan <~ ACKScan 



f~ Idle Scan Host 



I" Use Decoy l~~ Bounce Scan 

I I 

I - Souce Address [~ Source Port 



r 



Output 



Starting nmap V. 3.00 C WAW.insecure.org/nmap ) 
Interesting ports on (10.1. 1.1}: 

(The 104 ports scanned but not shown below are in state: closed) 



73 



Port 
2S/tcp 
80/tcp 
Sl/tcp 
82/tCp 
97/tcp 
110/tcp 



state 
open 
open 
open 
open 
open 
open 



Servi ce 
smtp 
http 

hosts2-ns 
xfer 

swi f t-rvf 

pep-; 



Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or winXP 
Nmap run completed -- 1 IP address C 1 host up) scanned in 1 second 



U 



jCMD nmap-sS -PT -PI -p 1-110 -n-0 T 310.1.1 1 



S| 28/10/03 | 20:54:51 



Scanning internally is easy. Simply connect your PC to the network, load up 
the software, and fire away. Scanning from outside your network takes a few 
more steps, but it can be done: 

i>* For war dialing, scanning shouldn't be an issue. You can just use one of 
your internal analog lines to dial out from. 

V Pinging and scanning is more complicated. The easiest way to connect 
and get an "outside-in" perspective is to assign yourself a public IP 
address and plug your workstation into a switch or hub on the public 
side of your firewall or router. Physically, you're not on the Internet look- 
ing in, but this type of connection works just the same. 



Determining What's Running 
on Open Ports 

As an ethical hacker, you should glean as much information as possible after 
scanning your systems. You can often identify the following information: 

I Protocols in use, such as IP, IPX, and NetBEUI 

Services running on the hosts, such as e-mail and database applications 



Part I: Building the Foundation for Ethical Hacking 



pBooks 

is Reqi 



f Available remote-access services, such as Windows Terminal Services 
and Secure Shell (SSH) 

services, such as PPTP, SSL, and IPSec 

Required authentication for network shares 



You can look for the following open ports (your network scanning program 
reports these as open): 

V Ping (ICMP echo) replies; ICMP traffic is allowed to and from the host 
TCP port 20 and/or 21, showing that FTP is running 
TCP port 23, showing that telnet is running 

V TCP ports 25 or 465 (SMTP), 110 or 995 (POP3), or 143 or 993 (IMAP), 
showing that an e-mail server is running 

TCP/UDP port 53, showing that a DNS server is running 

V TCP ports 80 and 443, showing that a Web server is running 

TCP/UDP ports 137, 138, and 139, showing that an unprotected Windows 
host is running 

Thousands of ports can be open — 65,535, to be exact. I cover many popular 
port numbers when describing hacks throughout this book. A listing of all 
well-known port numbers (ports 1-1023) and registered port numbers (ports 
1024-49151), with their associated protocols and services, is located at 

www . i ana. org/assignments /port- numbers. You can also perform a port- 
number lookup at www .cotse. c om /eg i -bin/port. eg i. 

If you detect a Web server running on the system you're testing, you can 
check the software version by using one of the following methods: 

f Type the site's name, followed by a page that you know doesn't exist, 
such as www .your_domai n. com/1234. html. Many Web servers return 
an error page showing detailed version information. 

Use Netcraft's Web server-search utility (www . netcraf t .com), which 
connects to your server from the Internet and displays the Web-server 
version and operating system, as shown in Figure 4-3. 

You can dig deeper for more specific information on your hosts. This reveals 
what software version is running on the systems and more: 

f NMapWin can determine the system OS version; refer to Figure 4-2. 

An enumeration utility (such as DumpSec) can extract users, groups, 
and file and share permissions directly from Windows. 

Many systems return useful banner information when you connect to a 
service or application running on a port. For example, if you telnet to an 



Chapter 4: Hacking Methodology 



pBooks 



e-mail server on port 25 by entering tel net mai 1 .your_domai n . com 
25 at a command prompt, you may see something like this: 



0 mail.your_domain.com ESMTP all _the_versi on_i nfo_ 
you' 1 1 _ever_need Ready 



Most e-mail servers return detailed information, such as the version and 
the current service pack installed. After you have this information, you 
(and hackers) can determine what vulnerabilities are present on the 
system from some of the Web sites listed in the next section. 

V An e-mail to an invalid address may return with detailed e-mail header 
information. A bounced message often discloses lots of information that 
can be used against you, including internal IP addresses and software 
versions. On certain Windows systems, you can map drives and establish 
other types of network connections. I cover these issues in Chapter 11. 



I {;:■ Neter.ilt Wh.it \ Thai Site Rtinniny Results - Mu/ill<i 



Figure 4-3: 

N etc raft's 
Web-server 
version 
utility. 



Qb Edit View _j gookmarks Tools Window Help 



3* III. | Af. http: //uptime. netct aft. com/up/graph/ ?hos5=www.principlelcgic,corr| 



~3 &~ sei 



■•ilHome ^Bookmarks £ EMAIL THIS ^SAVE THI5 



flETCIVAFT 



Search Web by Dom, 
Internet Data Mining 

Hosting Provider Swrtchi 



'eb Server Survey Archive 
Performance 

Hosting Providers Net*crk 
Performance 
dicated Server Monitoring 
Security 

itomated Security Testing 



Whats that site running? |www pririciplelogic.COrr 
3rinciplelogic.com is running Apache/2.0.47 (Win32) on Windows 2000. FAQ 

Apache is also being used by Racks pace 
ie* Ho.-tma Ptovid*ti Metwoiii Pertain- a nee comparison, updated every 15 mlns. 



OS, Web Server and Hasting History for 



s 2000 
s 2000 
I 2000 
s 2000 
s 2000 
s 2000 
s 2000 
s 2000 
s 2000 
s 2000 



Apache/2 
Apache/2 
Apache/2 
Apacha/2 
Apacha/2 
Apache/2 
Apache/2 
Apache/2 
Apache/2 
Apache/2 



0.47 (Win32) 
0.39 (Win32) 
0,39 (Win32) 




n32) 
n32) 
n32) 



0.39 (Wi 
0.39 (Wi 
0.39 (Wi 
0.39 (Win32) 
0.39 (Win32) 
0.39 (Win32) 
0.39 (Win32) 



29-Jun 
28-Jun 
26-Jui 



68,209,117,10 
67.34,129,92 
67.33,167,28 
69.19.12.39 
68.154.17.145 
67.33.69.60 
67.33.133.251 
68.158,70.158 
68.19.3,93 
68.154,15.212 



illSouth.n 

illSouth.n 
illSouth.n 
illSouth.n 
■ ll:.,j.jth. n 



Assessing Vulnerabilities 

After finding potential security holes, test whether they are vulnerabilities. 
Before you test, perform some manual searching. You can research hacker 
message boards, Web sites, and vulnerability databases, such as these: 

Common Vulnerabilities and Exposures (cve.mitre.org/cve) 
i>* CERT/CC Vulnerability Notes Database (www . kb . cert . org/vul s) 
V NIST ICAT Metabase (i cat . ni st . gov/i cat . cfm) 

These sites list practically every known vulnerability If you can't find a vulner- 
ability documented on one of these sites, search the vendor's site. You can find 



Part I: Building the Foundation for Ethical Hacking 



pBoote 

If you're r 



a list of commonly exploited vulnerabilities at www. sans.org/top20. This is 
the SANS Top 20 Internet Security Vulnerabilities consensus list, which is 
and updated by information-security authorities. 



you're not keen on researching your potential vulnerabilities and can jump 
right into testing, you have a couple of options: 

*>* Manual assessment: You can assess the potential vulnerabilities by con- 
necting to the ports that are exposing the service or application and 
poking around. You should manually assess certain vulnerabilities (such 
as in Web applications). The vulnerability reports in the preceding data- 
bases often disclose how to do this — at least generally. If you have a lot 
of free time, performing these tests manually may be for you. 

Automated assessment: If you're like me, you'll assess vulnerabilities 
automatically when you can. Manual assessments are a great way to 
learn, but people usually don't have the time for most manual steps. 

I love many of the available vulnerability-assessment tools. Some test 
for vulnerabilities on specific platforms (such as Windows and UNIX) and 
types of networks (either wired or wireless). They test for specific system 
vulnerabilities — some even focus on the SANS Top 20 list. Versions of these 
tools can map the business logic within an application; others can help soft- 
ware developers test for code flaws. The drawback to these tools is that they 
find only individual vulnerabilities, not correlating vulnerabilities. However, 
this is changing with the advent of event-correlation applications. 

Many people love the Nessus tool (www .nessus.org). However, it's not best 
for beginners or without a Linux or UNIX server. 

One of my favorite ethical hacking weapons is a vulnerability-assessment tool 
called QualysGuard by Qualys (www . qua! ys .com). It's both a port scanner 
and vulnerability-assessment tool. You don't even need a computer to run it. 

QualysGuard — which has its roots in Nessus — is an application service 
provider-based commercial tool. Just browse to the Qualys Web site, log in, 
and enter the IP address of the systems you want to test. You schedule the 
assessment; it runs, then generates excellent reports, such as these: 

An executive report containing information like the partial screen 
capture of a QualysGuard report shown in Figure 4-4. 

u* A technical report of detailed explanations of the vulnerabilities and 
specific countermeasures. 

Like most good security tools, you pay for QualysGuard — it's not the least 
expensive tool — but you get what you pay for. Some newer products offer 
similar technical capabilities while adding convenience. 



Chapter 4: Hacking Methodology 



Figure 4-4: 

A sample 
QualysGuard 
vulnerability- 
assessment 
report. 



QualysGuard 



| ?|Ouia He.p j 



Executive Report 



~j [ Download"] ( 



| Summary 



CD® C£°J 



Summary of Vulnerabilities on All IPs Gionps 



1 Vulnerabilities Total: 
Report Summary 



1 24; 1 Oveiall Trend: 



00 | 1 Overall Secin iiy Risk: | 



IPs Scanned: 
Total Scans: 
Dynamic Analysis: 
Sort by: 

IPiRange: 10.30.31.13 



Last 3 weeks 



Fit*' ^evirrry. 
Filter Status: 
Include Detailed Resulis: 
Date Range: 

Filter disabled vulnaabiliiie:: 



04 112^002 to :i4;U4.':00^ 



by St.ltllS 
St.itus 

Re-Opened 

Fixed 

Changed 



ITutneriMBJea 



by Seventy 



'.nil,.-! ■l.ililies Trend 



-2$ 

-2 



5 Bi'jijest Categories 

Category Vulnerabilities Trend 

SMB / NETBIOS 11 

Information gathering 4 

File Transfer FTotocol 4 

TCP/P 2 

Firewall 1 




Assessing vulnerabilities with a tool such as QualysGuard requires follow-up 
expertise. Study the reports to base your recommendations on the tested 
systems. 



Penetrating the System 

You can use identified critical security holes to do the following: 

Gain further information about the host and its data. 
Start or stop certain services or applications. 

V Access other systems. 

v 0 Disable logging or other security controls. 
Capture screen shots. 

V Install such hacker tools as rootkits (hacker programs that masquerade 
as legitimate OS programs) and network analyzers for later backdoor 
entry. 

W Capture keystrokes. 

Send an e-mail as the administrator. 
i>* Perform a buffer-overflow attack. 

Launch another type of DoS attack. 

Upload a file proving your victory. 



Part I: Building the Foundation for Ethical Hacking 



system pe 

pBoafe 



You can exploit the vulnerabilities on your systems and go for complete 
system penetration. Ideally, you've already made your decision on this. You 
to leave well enough alone. There are also tasks you can't do — 
stalling rootkits or planting a file — unless you try. 



9/ 



Leave the more-intrusive penetration to those with more time on their hands. 
Focus on correcting problems. Part VI of this book covers reporting, patching, 
and managing. 

Don't take the steps I outline in this chapter too literally. General ethical 
hacking methodologies can be either too simplistic or too rigid. Ultimately, 
you are in control and can decide what to do and when to do it. 




DropBook kttin P gEthical 

Hacking in Motion 



The 5 th Wave 



By Rich Tennant 



DropBooks 



In this part . . . 

m et the games begin! You've waited long enough — 
Awnow's the time to start testing your systems. But 
where do you start? How about with your two Ps — your 
people and your physical systems? These are, after all, 
two of the most easily and commonly attacked targets in 
your organization. 

This part starts out with a discussion of hacking people. 
It then goes on to take a look at physical security vulnera- 
bilities. Of course, I'd be remiss in a part about people if I 
skipped passwords, so I cover testing those as well. This 
is a great way to get the ball rolling to warm you up for the 
more specific hacks that come later in the book. 



DropBooka 



Chapter 5 



Social Engineering 



In This Chapter 

Introducing social engineering 
Examining the ramifications of social engineering 
Understanding social-engineering techniques 
Protecting your organization against social engineering 



^^oc;'a/ engineering takes advantage of the weakest link in any organiza- 
^^tion's information-security defenses: the employees. Social engineering is 
"people hacking" and involves maliciously exploiting the trusting nature of 
human beings for information that can be used for personal gain. 



Typically hackers pose as someone else to gain information they otherwise 
can't access. Hackers then take the information obtained from their victims 
and wreak havoc on network resources, steal or delete files, and even commit 
industrial espionage or some other form of fraud against the organization 
they're attacking. Social engineering is different from physical-security issues, 
such as shoulder surfing and dumpster diving, but they are related. 

Here are some examples of social engineering: 

v 0 False support personnel claim that they need to install a patch or new 
version of software on a user's computer, talk the user into downloading 
the software, and obtain remote control of the system. 

False vendors claim to need to make updates to the organization's 
accounting package or phone system, ask for the administrator pass- 
word, and obtain full access. 

u* False contest Web sites run by hackers gather user IDs and passwords 
of unsuspecting contestants. The hackers then try those passwords on 
other Web sites, such as Yahoo! and Amazon.com, and steal personal or 
corporate information. 




Social Engineering 101 



Part II: Putting Ethical Hacking in Motion 



pBooks 

Sometime 



I V False employees notify the security desk that they have lost their keys 
to the computer room, are given a set of keys, and obtain unauthorized 



ss to physical and electronic information. 



Sometimes, social engineers act as forceful and knowledgeable employees, 
such as managers or executives. Other times, they may play the roles of 
extremely uninformed or naive employees. They often switch from one mode 
to the other, depending on whom they are speaking to. 

Effective information security — especially for fighting social engineering — 
begins and ends with your users. Other chapters in this book provide great 
technical advice, but never forget that basic human communication and 
interaction also affect the level of security. The candy-security adage is "Hard 
crunchy outside, soft chewy inside." The hard crunchy outside is the layer of 
mechanisms — such as firewalls, intrusion-detection systems, and encryp- 
tion — that organizations rely on to secure their information. The soft chewy 
inside is the people and the systems inside the organization. If hackers can 
get past the thick outer layer, they can compromise the (mostly) defenseless 
inner layer. 

Social engineering is one of the toughest hacks, because it takes great skill to 
come across as trustworthy to a stranger. It's also by far the toughest hack 
to protect against because people are involved. In this chapter, I explore the 
ramifications of social engineering, techniques for your own ethical hacking 
efforts, and specific countermeasures to take against social engineering. 



Before \lou Start 

I approach the ethical hacking methodologies in this chapter differently than 
in subsequent hacking chapters. Social engineering is an art and a science. It 
takes great skill to perform social engineering as an ethical hacker and is 
dependent upon your personality and overall knowledge of the organization 
you're testing. If social engineering isn't natural for you, consider using the 
information in this chapter for educational purposes — at first — until you 
have more time to study the subject. 




You can use the information in this chapter to perform specific tests or improve 
information-security awareness in your organization. Social engineering can 
harm people's jobs and reputations, and confidential information could be 
leaked. Proceed with caution and think before you act. 



You can perform social-engineering attacks millions of ways. For this reason, 
and because it's next to impossible to train specific behaviors in one chapter, 
I don't provide how-to instructions on carrying out social-engineering attacks. 
Instead, I describe specific social-engineering scenarios that have worked for 
other hackers — both ethical and unethical. You can tailor these same tricks 
and techniques to specific situations. 



Chapter 5: Social Engineering 



p! 



P^^iAcase study in social engineering 
DUUr\b with Ira Winkler 



In this case study, Ira Winkler, a world-renowned 
social engineer, was gracious in sharing with 
me an interesting study in social engineering. 

The Situation 

Mr. Winkler's client wanted a general tempera- 
ture of the organization's security awareness 
level. He and his accomplice wentforthe pot of 
gold and tested the organization's susceptibility 
to social engineering. Getting started, they 
scoped out the main entrance of the client's 
building and found that the reception/security 
desk was in the middle of a large lobby and was 
staffed by a receptionist. The next day, the two 
men walked into the building during the morn- 
ing rush while pretending to talk on cell phones. 
They stayed at least 15 feet from the attendant 
and simply ignored her as they walked by. 

After they were inside the facility, they found a 
conference room to set up shop. They sat down 
to plan the rest of the day and decided a facility 
badge would be a great start. Mr. Winkler called 
the main information number and asked for the 
office that makes the badges. He was forwarded 
to the reception/security desk. He then pre- 
tended to be the CIO and told the person on 
the other end of the line that he wanted badges 
for a couple of subcontractors. The person 
responded, "Send the subcontractors down to 
the main lobby." 

When Mr. Winkler and his accomplice arrived, 
a uniformed guard asked whatthey were work- 
ing on, and they mentioned computers. The 
guard then asked them if they needed access to 
the computer room! Of course they said, "That 
would help." Within minutes, they both had 
badges with access to all office areas and the 
computer operations center. They went to the 
basement and used their badges to open the 
main computer room door. They walked right in 
and were able to access a Windows server. 



load the user administration tool, add a new 
user to the domain, and make the user a 
member of the administrators' group. Then they 
quickly left. 

The two men had access to the entire corporate 
network with administrative rights within two 
hours! They also used the badges to perform 
after-hours walkthroughs of the building. In 
doing this, they found the key to the CEO's office 
and planted a mock bug there. 

The Outcome 

Nobody outside the team knew what the two 
men did until they were told after the fact. After 
the employeeswere informed, the guard super- 
visor called Mr. Winkler and wanted to know 
who issued the badges. Mr. Winkler informed 
him that the fact that his area didn't know who 
issued the badges was a problem in and of 
itself, and that he does not disclose that infor- 
mation. 

How This Could Have Been Prevented 

According to Mr. Winkler, the security desk 
should have been located closertothe entrance, 
and the company should have had a formal 
process for issuing badges. In addition, access 
to special areas like the computer room should 
require approval from a known entity. After 
access is granted, a confirmation should be 
sent to the approver. Also, the server screen 
should have been locked, the account should 
not have been logged on unattended, and any 
addition of an administrator-level account should 
be audited and appropriate parties should be 
alerted. 

Ira Winkler, CISSP, CISM, is considered one of 
the world's best social engineers. You can find 
more of his case studies in his book Spies 
Among Us (McGraw-Hill). 



Part II: Putting Ethical Hacking in Motion 



These social-engineering techniques may be best performed by an outsider 
to the organization. If you're performing these tests against your own organi- 
u may have difficulties acting as an outsider if everyone knows you. 
not be a problem in larger organizations, but if you have a small, 
company, people usually are on to your antics. 

You can outsource social-engineering testing to a trusted consulting firm or 
even have a colleague perform the tests for you. The key word here is trusted. 
If you're involving someone else, you must get references, perform background 
checks, and have the testing approved by management in writing beforehand. 
I cover the topic of outsourcing ethical hacking in Chapter 19. 



Why Hackers Use Social Engineering 

Bad guys use social engineering to break into systems because they can. They 
want someone to open the door to the organization so that they don't have to 
break in and risk getting caught. Firewalls, access controls, and authentication 
devices can't stop a determined social engineer. 

Most social engineers perform their attacks slowly, so they're not so obvious 
and don't raise suspicion. The bad guys gather bits of information over time 
and use the information to create a broader picture. Alternatively, some social- 
engineering attacks can be performed with a quick phone call or e-mail. The 
methods used depend on the hacker's style and abilities. 

Social engineers know that many organizations don't have formal data classi- 
fication, access-control systems, incident-response plans, and security- 
awareness programs. 

Social engineers know a lot about a lot of things — both inside and outside 
their target organizations — because it helps them in their efforts. The more 
information social engineers gain about organizations, the easier it is for them 
to pose as employees or other trusted insiders. Social engineers' knowledge 
and determination give them the upper hand over average employees who 
are unaware of the value of the information social engineers are seeking. 



Understanding the Implications 

Most organizations have enemies that want to cause trouble through social 
engineering. These enemies could be current or former employees seeking 
revenge, competitors wanting a leg up, or basic hackers trying to prove their 
skills. 





Chapter 5: Social Engineering 



companies 

ipBoote 

and call-ce 



Regardless of who is causing the trouble, every organization is at risk. Larger 
companies spread across several locations are often more vulnerable, but 
panies also are attacked. Everyone from receptionists to security 
IT personnel are potential victims of social engineering. Help-desk 
and call-center employees are especially vulnerable because they are trained 
to be helpful and forthcoming with information. Even the average untrained 
end user is susceptible to attack. 



Social engineering has serious consequences. Because the objective of social 
engineering is to coerce someone for ill-gotten gains, anything is possible. 
Effective social engineers can obtain the following information: 

v 0 User or administrator passwords 

Security badges or keys to the building and even the computer room 

u* Intellectual property such as design specifications, formulae, or other 
research and development documentation 

i>* Confidential financial reports 

Private and confidential employee information 

u* Customer lists and sales prospects 



If any of the preceding information is leaked out, it can cause financial losses, 
lower employee morale, jeopardize customer loyalty, and even create legal 
issues. The possibilities are endless. 

One reason protecting against social-engineering attacks is difficult is that they 
aren't well documented. Because so many possible methods exist, recovery 
and protection are difficult after the attack. The hard crunchy outside created by 
firewalls and intrusion-detection systems often creates a false sense of security, 
making the problem even worse. 

With social engineering, you never know the next method of attack. The best 
you can do is remain vigilant, understand the social engineer's methodology, 
and protect against the most common attacks. In the rest of this chapter, I 
discuss how you can do this. 



Performing Social-Engineering Attacks 

The process of social engineering is actually pretty basic. In general, social 
engineers find the details of organizational processes and information systems 
to perform their attacks. With this information, they know what to pursue. 
Hackers typically perform social-engineering attacks in four simple steps: 



Part II: Putting Ethical Hacking in Motion 



■-^ 2, Buih 

dBooks 

techi 



1. Perform research. 
Build trust. 



oit relationship for information through words, actions, or 
technology. 

4. Use the information gathered for malicious purposes. 

These steps can include myriad substeps and techniques, depending on the 
attack being performed. 

Before social engineers perform their attacks, they need a goal in mind. This 
is the hacker's first step in this process, and this goal is most likely already 
implanted in the hacker's mind. What does the hacker want to accomplish? 
What is the hacker trying to hack? Does he want intellectual property, server 
passwords, or security badges; or does he simply want to prove that the 
company's defenses can be penetrated? In your efforts as an ethical hacker 
performing social engineering, determine this goal before you move forward. 



Fishing for information 

Social engineers typically start by gathering public information about their 
victim. Many social engineers acquire information slowly over time so they 
don't raise suspicion. Obviousness is a tip-off when defending against social 
engineering. I cover other warning signs throughout the rest of this chapter. 

Regardless of the initial research method, all a hacker needs to start penetrat- 
ing an organization is an employee list, a few key internal phone numbers, or 
a company calendar. 

Using the Internet 

Today's basic research medium is the Internet. A few minutes on Google or 
other search engines, using simple key words such as the company name or 
specific employees' names, often produces a lot of information. You can find 
even more information in SEC filings at www .sec.gov and at sites such as 
www .hoovers. com and finance. yahoo. com. In fact, many organizations — 
especially upper management — would be dismayed by what's available. By 
using this search-engine information and browsing the company's Web site, 
the hacker often has enough information to start. 

Hackers can pay $100 or less for a comprehensive background check on indi- 
viduals. These searches can turn up practically any public — and sometimes 
private — information about a person in minutes. 



Chapter 5: Social Engineering 



ipbooRs 



bumpster ditf'mq 

Dujmpster diving is a more difficult method of obtaining information. This 

's literally going through trash cans for information about a company. 



Dumpster diving can turn up even the most confidential information, because 
many employees think that their information is safe after it goes into file 13. 
Most people don't think about the potential value of paper they throw away. 
These documents often contain a wealth of information that tips off the social 
engineer with information needed to penetrate the organization further. The 
astute social engineer looks for the following printed documents: 



v 0 Internal phone lists 




**" Organizational charts 




Employee handbooks, which often contain security policies 


Network diagrams 




i>* Password lists 




Meeting notes 




Spreadsheets and reports 




i>* E-mails containing confidential information 




Shredding is effective if the paper is cross-shredded into tiny pieces of con- 
fetti. Inexpensive shredders that shred documents only in long strips are 
basically worthless against a determined social engineer. With a little time 
and tape, a social engineer can easily piece a document back together. 

Hackers often gather confidential personal and business information from 
others by listening in on conversations held in restaurants, coffee shops, and 
airports. People who speak loudly when talking on a cell phone are a great 
source. Poetic justice, perhaps? While writing in public places, it's amazing 
what I've heard others divulge — and I wasn't trying to listen! 

Hackers also look for floppy disks, CD-ROM and DVD discs, old computer 
cases (especially with hard drives) and backup tapes. 

See Chapter 6 for more on trash and other physical-security issues, including 
countermeasures against these exploits. 

Phone systems 

Hackers can obtain information by using the dial-by-name feature built into 
most voice-mail systems. To access this feature, you usually just press 0 



Part II: Putting Ethical Hacking in Motion 



when calling into the company's main number or even someone's desk. This 
trick works best after hours to make sure that no one answers. 



p Books 

from. Hen 



an protect their identifies if they can hide where they're calling 
from. Here are some ways that they can do that: 

Residential phones sometimes can hide their numbers from caller ID. 
The code to hide a residential phone number from a caller ID is *67. Just 
dial *67 before the number; it blocks the source number. 

This feature is usually disabled when you're calling toll-free (800, 888, 877) 
numbers. 

i>* Business phones are more difficult to spoof from an office by using a 
phone switch. However, all the hacker usually needs is the user guide 
and administrator password for the phone-switch software. In many 
switches, the hacker can enter the source number — including a falsified 
number, such as the victim's home phone number. 

Hackers find interesting bits of information, such as when their victims are out 
of town, just by listening to voice-mail messages. They even study victims' 
voices by listening to their voice-mail messages or Internet presentations and 
Webcasts to impersonate those people. 



Building trust 

Trust — so hard to gain, so easy to lose. Trust is the essence of social engi- 
neering. Most humans trust other humans until a situation occurs that forces 
them not to. We want to help one another, especially if trust can be built and 
the request for help is reasonable. Most people want to be team players in the 
workplace and don't know what can happen if they divulge too much informa- 
tion to a "trusted" source. This is why social engineers can accomplish their 
goals. Of course, building deep trust often takes time. Crafty social engineers 
gain it within minutes or hours. How do they build trust? 

W Likability: Who can't relate to a nice person? Everyone loves courtesy. 
The friendlier the social engineer — without going overboard — the 
better his chances of getting what he wants. Social engineers often begin 
by establishing common interests. They often use information they 
gained in the research phase to determine what the victim likes and act 
as if they like those things as well. For instance, they can phone victims 
or meet them in person and, based on information they've learned about 
the person, start talking about local sports teams or how wonderful it is 
to be single again. A few low-key and well-articulated comments can be 
the start of a nice new relationship. 



Chapter 5: Social Engineering 



ipBookS 

that 



Believability: Of course, believability is based in part on the knowledge 
that social engineers have and how likable they are. But social engineers 



use impersonation — perhaps posing as a new employee or fellow 
loyee that the victim hasn't met. They may even pose as a vendor 
that does business with the organization. They often modestly claim 
authority to influence people. The most common social-engineering trick 
is to do something nice so that the victim feels obligated to be nice in 
return or to be a team player for the organization. 



Exploiting the relationship 

After social engineers obtain the trust of their unsuspecting victims, they 
coax them into divulging more information than they should. Whammo — 
they can go in for the kill. They do this through face-to-face or electronic 
communications that victims feel comfortable with, or they use technology 
to get victims to divulge information. 

beceit through Words and actions 

Wily social engineers can get inside information from their victims many ways. 
They are often articulate and focus on keeping their conversations moving 
without giving their victims much time to think about what they're saying. 
However, if they're careless or overly anxious during their social-engineering 
attacks, the following tip-offs may give them away: 

Acting overly friendly or eager 

Mentioning names of prominent people within the organization 

V Bragging about authority within the organization 

i>* Threatening reprimands if requests aren't honored 

Acting nervous when questioned (pursing the lips and fidgeting — 
especially the hands and feet, because more conscious effort is required 
to control body parts that are farther from the face) 

i>* Overemphasizing details 

Physiological changes, such as dilated pupils or changes in voice pitch 

V Appearing rushed 
Refusing to give information 

Volunteering information and answering unasked questions 
Knowing information that an outsider should not have 
i>* A known outsider using insider speech or slang 



Part II: Putting Ethical Hacking in Motion 



I— ^ tf* Miss 

pBooEs 



v 0 Asking strange questions 

Misspelling words in written communications 



bcial engineer isn't obvious with the preceding actions, but these are 
some of the signs that malicious behavior is in the works. 

Hackers often do a favor for someone and then turn around and ask that person 
if he or she would mind helping them. This is a common social-engineering 
trick that works pretty well. Hackers also often use what's called reverse social 
engineering. This is where they offer help if a specific problem arises; some 
time passes, the problem occurs (often by their doing), and then they help fix 
the problem. They may come across as heroes, which can further their cause. 
Hackers also simply may ask an unsuspecting employee for a favor. Yes — 
they just outright ask for a favor. Many people fall for it. 

Impersonating an employee is easy. Social engineers can wear a similar look- 
ing uniform, make a fake ID badge, or simply dress like the real employees. 
They often pose as employees. People think, "Hey — he looks and acts like 
me, so he must be one of us." Social engineers also pretend to be employees 
calling in from an outside phone line. This is an especially popular way of 
exploiting help-desk and call-center personnel. Hackers know that it's easy 
for these people to fall into a rut due to such repetitive tasks as saying, 
"Hello, can I get your customer number, please?" 

Here's my story about how I was social-engineered because I didn't think 
before I spoke. One day, I was having trouble with my high-speed Internet 
connection. I figured I could just use dial-up access, because it's better than 
nothing for e-mail and other basic tasks. I contacted my ISP and told the tech- 
support guy I couldn't remember my dial-up password. This sounds like the 
beginning of a social-engineering stunt that I could've pulled off, but / got 
taken. The slick tech-support guy paused for a minute, as if he was pulling up 
my account info, and then asked, "What password did you try?" 

Stupid me, I proceeded to mouth off all the passwords it could've been! The 
phone got quiet for a moment. He reset my password and told me what it 
was. After I hung up the phone, I thought, "What just happened? I just got 
social-engineered!" Man, was I mad at myself. I changed all the passwords 
that I divulged in case he used that information against me. I still bet to this 
day that he was just experimenting with me. Lesson learned: Never, ever, 
under any circumstances divulge your password to someone else. 



Deceit through technology 

Technology can make things easier — and more fun — for the social engineer. 
Often, the request comes from a computer or other electronic entity you 
think you can identify. But spoofing a computer name, an e-mail address, a fax 
number, or a network address is easy. Fortunately, you can take a few counter- 
measures against this, as described in the next section. 



Chapter 5: Social Engineering 



lniormatic 

ipBodfcg 



One way hackers deceive through technology is by sending e-mail for critical 
information. Such e-mail usually provides a link that directs victims to a pro- 
and legitimate-looking Web site that "updates" such account infor- 
user IDs, passwords, and Social Security numbers 



Many spam messages use this trick. Most users are inundated with so much 
spam and other unwanted e-mail that they often let their guard down and open 
e-mails and attachments that they shouldn't open. These e-mails usually look 
professional and believable. They often dupe people into disclosing informa- 
tion they should never give in exchange for a gift. These social-engineering 
tricks also occur when a hacker who has already broken into the network 
sends messages or creates fake Internet pop-up windows. The same tricks 
have occurred through instant messaging and cell-phone messaging. 

In some well-publicized incidents, hackers e-mailed to their victims a patch 
purporting to come from Microsoft or another well-known vendor. Users think 
it looks like a duck and it quacks like a duck — but it's not Bill this time! The 
message is from a hacker wanting the user to install the "patch" so a Trojan- 
horse keylogger can be installed or a backdoor can be created into computers 
and networks. Hackers use these backdoors to hack into the organization's 
systems or use the victims' computers (known as zombies) as launching pads 
to attack another system. Even viruses or worms use social engineering. For 
instance, the LoveBug worm told users they had a secret admirer. When the 
victims opened the e-mail, it was too late. Their computers were infected; 
perhaps worse, they didn't have a secret admirer. 

The Nigerian 419 e-mail fraud scheme attempts to access unsuspecting 
people's bank accounts and money. These social engineers — scamsters — 
offer to transfer millions of dollars to the victim to repatriate a deceased 
client's funds to the United States. All the victim must provide is personal 
bank-account information and a little money up front to cover the transfer 
expenses. Victims have ended up having their bank accounts emptied. 

Many computerized social-engineering tactics can be performed anonymously 
through Internet proxy servers, anonymizers, and remailers. When people fall 
for requests for confidential personal or corporate information, the sources 
of these social-engineering attacks are often impossible to track. 



Social-Engineering Countermeasures 

You have only a few good lines of defense against social engineering. Even with 
strong security systems, a naive or untrained user can let the social engineer 
into the network. Never underestimate the power of social engineers. 



Part II: Putting Ethical Hacking in Motion 



Policies 

|^ |*^ ^^|^fQ)olicies help ward off social engineering long-term in these areas: 



V Classifying data 

i>* Hiring employees and contractors and setting up user IDs 

V Terminating employees and contractors, and removing user IDs 
v 0 Setting and resetting passwords 

Handling proprietary and confidential information 
Escorting guests 

These policies must be enforceable and enforced — for everyone within the 
organization. Keep them up to date and tell your end users about them. 



User awareness 

The best line of defense against social engineering is an organization with 
employees who can identify and respond to social-engineering attacks. User 
awareness begins with initial training for everyone and follows with security- 
awareness initiatives to keep social-engineering defenses on everyone's mind. 
Align training and awareness with specific security policies. 

Consider outsourcing security training to a seasoned security trainer. 
Employees often take training more seriously if it comes from an outsider. 
Outsourcing security training is worth the investment. 

As you approach ongoing user training and awareness in your organization, 
the following tips help you combat social-engineering long term: 

Treat security awareness and training as a business investment. 

i>* Train users on an ongoing basis to keep security fresh in their minds. 

V Tailor your training content to your audience whenever possible. 

Create a social-engineering awareness program for your business func- 
tions and user roles. 

v 0 Keep your messages as nontechnical as possible. 

Develop incentive programs for preventing and reporting incidents. 



it* Lead by example. 



Chapter 5: Social Engineering 



Share these tips with your users to help prevent social-engineering attacks: 



ipBoote 

is mj 



er divulge any information unless you can validate that the person 
esting the information needs it and is who he says he is. If a request 
is made over the telephone, verify the caller's identity, and call back. 



is* Never click an e-mail link that supposedly loads a page with information 
that needs updating. This is especially true for unsolicited e-mails. 

Escort all guests within a building. 

Never send or open files from strangers. 

V Never give out passwords. 

A few other general suggestions can ward off social engineering: 



V Never let a stranger connect to one of your network jacks — even for a 
few seconds. A hacker can place a network analyzer, Trojan-horse pro- 
gram, or other malware directly onto your network. 

it* Classify your information assets, both hard-copy and electronic. Train 
all employees to handle each asset type. 

i>* Develop and enforce computer media and document destruction policies 
that help ensure data is handled carefully and stays where it should. 

v 0 Use cross-shredding paper shredders. Better, hire a document-shredding 
company that specializes in confidential document destruction. 

Never allow anonymous File Transfer Protocol (FTP) access into your 
FTP servers if you don't have to. 



These techniques can reinforce the content of formal training: 

i>* New-employee orientation, lunch 'n' learns, e-mails, and newsletters 

f" Social-engineering survival brochure with tips and FAQs 

i>* Trinkets, such as screen savers, mouse pads, sticky notes, pens, and 
office posters 

Appendix A lists my favorite user-awareness trinket vendors to improve 
user awareness in your organization. 



Part II: Putting Ethical Hacking in Motion 



DropBooks 




Chapter 6 

DropBooks n , . lo . A 

Physical Security 



In This Chapter 

Understanding the importance of physical security 

Q&A with a well-known physical-security expert 

Looking for physical-security vulnerabilities 

Implementing countermeasures for physical-security attacks 



f 

■ 'ma strong believer that information security is more dependent on non- 
M technical policies, processes, and procedures than on the technical 
hardware and software solutions that many people swear by. Physical 
security — protection of physical property — encompasses both technical and 
nontechnical components. 

Physical security is an often overlooked aspect of an information-security 
program. Physical security is a critical component of information security. 
Your ability to secure your information depends on your ability to secure 
your site physically. In this chapter, I cover some common physical-security 
weaknesses, as they relate to computers and information security, to look for 
in your own systems. In addition, I outline free and low-cost countermeasures 
to minimize your vulnerabilities. I don't recommend breaking and entering, 
which is required for some physical-security tests. Instead, approach sensi- 
tive areas to see how far you can get. Take a fresh look — from an outsider's 
perspective — at the physical vulnerabilities I cover in this chapter. You may 
discover holes in your physical-security infrastructure. 



Physical-Security Vulnerabilities 

Whatever your computer and network-security technology, practically any 
hack is possible if a hacker is in your building or computer room. That's why 
it's important to look for physical-security vulnerabilities. 



Part II: Putting Ethical Hacking in Motion 



pBooks 



In small companies, some physical-security issues may not be a problem. 
Many physical security vulnerabilities depend on factors like the following: 



of the building 
i>* Number of buildings or sites 
v 0 Number of employees 

\>* Location and number of building entrance/exit points 

V Placement of the computer room(s) and other confidential information 

Literally thousands of possible physical-security vulnerabilities exist. The 
bad guys are always on the lookout for them — so you should find these vul- 
nerabilities first. Here are some common physical-security vulnerabilities I've 
found when assessing security: 

V No receptionist in a building 

No visitor sign-in or escort required for building access 

Employees trusting visitors just because they're wearing vendor uni- 
forms or say they're there to work on the copier or computers 

v 0 No access controls on doors 

f Doors propped open 

Publicly accessible computer rooms 

V Backup media lying around 
Unsecured computer hardware and software media 

tr* CDs and floppy disks with confidential information in trash cans 



When these physical-security vulnerabilities are exploited, bad things can 
happen. Perhaps the biggest problem is that unauthorized people can enter 
your building. After intruders are in your building, they can wander the halls; 
log onto computers; rummage through the trash; and steal hard-copy docu- 
ments, floppy disks and CDs, and even computers out of offices. 



What to Look For 

You should look for specific security vulnerabilities. Many potential physical- 
security exploits seem unlikely, but they happen to organizations that don't 
take physical security seriously. 

Hackers can exploit many physical-security vulnerabilities, including weak- 
nesses in a building's infrastructure, office layout, computer-room access, 
and design. In addition to these factors, consider the facility's proximity to 



Chapter 6: Physical Security 



pBodKS 



local emergency assistance (police, fire, and ambulance) and the area's crime 
statistics (burglary, breaking and entering, and so on) so you can better under- 
at you're up against. 



A Q&A on physical security with Jack Wiles 



In this Q&A session, Jack Wiles, an information- 
security pioneer with over 30 years of experi- 
ence, answered several questions on physical 
security and how a lack of it often leads to infor- 
mation insecurity. 

How important do you think physical security 
is in relation to technical-security issues? 

I've been asked that question many times in the 
past, and from decades of experience with both 
physical and technical security, I have a stan- 
dard answer. Without question, many of the 
most expensive technical-security counter- 
measures and tools become worthless when 
physical security is weak. If I can get my team 
into your building(s) and walk up to someone's 
desk and log in as that person, I have bypassed 
all your technical-security systems. In past 
security assessments, after my team and I 
entered a building, we always found that people 
simply thought that we belonged there — that 
we were employees. We were always friendly 
and helpful when we came in contact with real 
employees. They would often return the kind- 
ness by helping us with whatever we asked for. 

How were you able to get into most of the 
buildings when you conducted "red team" pen- 
etration tests for companies? 

In many cases, we just boldly walked into the 
building and went up the elevator in multistory 
buildings. If we were challenged, we always 
had a story ready. Our typical story was that we 
thought that this was the HR department, and 
we were there to apply for a job. If we were 
stopped at the door and told which building to 



go to for HR, we simply left and then looked for 
other entrances to that same building. If we 
found an outside smoking area at a different 
door, we attempted tailgating and simply walked 
in behind other employees who were reenter- 
ing the building after finishing their breaks. 
Tailgating also worked at most entrances that 
required card access. In my career as a red- 
team leader, we were never stopped and ques- 
tioned. We simply said, "Thank you" as we 
walked in and compromised the entire building. 

What kinds of things would you bring out of a 
building? 

It was always easy to get enough important 
documentation to prove that we were there. In 
many cases, the documentation was sitting in a 
box next to someone's desk (especially if that 
person was someone important) marked RECY- 
CLE. To us, that really said, "Steal me first"! We 
found it interesting that many companies just let 
their recycle boxes fill up before emptying them. 
We would also look for a room where strip-cut 
shredders were used. The documents that were 
shredded were usually stored in clear plastic 
bags. We loaded these bags into our cars and 
had many of the shredded documents put back 
together in a few hours. We found that if we 
pasted the strips from any page on cardboard 
with as much as an inch of space between the 
strips, the final document was still readable. 

Jack Wiles is president of TheTrainingCo. 
and promotes the annual information- 
security conference Techno Security (www. 

thetrai ni ngco . com). 



Part II: Putting Ethical Hacking in Motion 



pBoa 

sv 



The following sections list vulnerabilities to look for when assessing your orga- 
nization's physical security. This won't take a lot of technical savvy or expen- 
jpment. Depending on the size of your facilities, these tests shouldn't 
time. The bottom line is to determine whether the physical-security 
systems are adequate for the risks involved. Above all, be practical and use 
common sense. 



Buiidinq infrastructure 

Doors, windows, and walls are critical components of a building — especially 
in a computer room or in an area where confidential information is stored. 

Attack points 

Hackers can exploit a handful of building-infrastructure vulnerabilities. 
Consider the following attack points, which are commonly overlooked: 

Are doors propped open? If so, why? 

Can gaps at the bottom of critical doors allow someone using a balloon 
or other device to trip a sensor on the inside of a "secure" room? 

Would it be easy to force doors open? Would a simple kick near the 
doorknob suffice? 

What is the building and/or computer room made of (steel, wood, con- 
crete), and how sturdy are the walls and entryways? How resilient would 
the material be to earthquakes, tornadoes, strong winds, heavy rains, 
and vehicles driving into the building? 

Are any doors or windows made of glass? Is this glass clear? Is the glass 
shatterproof or bulletproof? 

f* Are doors, windows, and other entry points wired to an alarm system? 

Are there drop ceilings with tiles that can be pushed up? Are the walls 
slab-to-slab? If not, hackers can easily scale walls, bypassing any door or 
window access controls. 

Countermeasures 

Many physical-security countermeasures for building vulnerabilities may 
require other maintenance, construction, or operations experts. If building 
infrastructures is not your forte, you can hire outside experts during the 
design, assessment, and retrofitting stages to ensure that you have adequate 
controls. Here are some of the best ways to solidify building security: 

Strong doors and locks 

Windowless walls around computer rooms 



Chapter 6: Physical Security 



■ ^ An alarm system that's connected to all access points and continuously 



ipBooks 

is Man 



monitored 

ting (especially around entry/exit points) 
Mantraps that allow only person at a time to pass through a door 
Fences (barbed wire and razor wire) 



Utilities 

You must consider building and computer-room utilities, such as power, 
water, and fire suppression, when accessing physical security. These utilities 
can help fight off such incidents as fire and keep other access controls run- 
ning during a power loss. They can also be used against you if an intruder 
enters the building. 



Attack points 

Hackers often exploit utility-related vulnerabilities. Consider the following 
attack points, which are commonly overlooked: 

u 0 Is power-protection equipment (surge protectors, UPSs, and generators) 
in place? How easily accessible are the on/off switches on these devices? 
Can an intruder walk in and flip a switch? 

u 0 When the power fails, what happens to physical-security mechanisms? 
Do they fail open, allowing anyone through, or fail closed, keeping every- 
one in or out until the power is restored? 

v 01 Where are fire-detection and -suppression devices — including alarm 
sensors, extinguishers, and sprinkler systems — located? Determine 
how a malicious intruder can abuse them. Are these devices placed 
where they can harm electronic equipment during a false alarm? 

v 0 Where are water and gas shutoff valves located? Can you access them, 
or would you have to call maintenance personnel about an incident? 

)s* Are local telecom wires (both copper and fiber) that run outside of the 
building located aboveground, where someone can tap into them with 
telecom tools? Can digging in the area cut them easily? Are they located 
on telephone poles that are vulnerable to traffic accidents? 



Countermeasures 

You may need to involve other experts during the design, assessment, or 
retrofitting stages. The key is placement: 



u 0 Where are the major utility controls placed? 

v 0 Can a hacker or other miscreant walking through the building access the 
controls to turn them on and off? 



Part II: Putting Ethical Hacking in Motion 



P 



® 



Covers for on/off switches and thermostat controls and locks for server 
power buttons and PCI expansion slots are effective defenses. 

I ^^b|^^^sessed the physical security of an Internet collocation facility for a 
very large computer company (whose name will remain anonymous). I made it 
past the front guard and tailgated through all the controlled doors to reach the 
data center. After I was inside, I walked by such equipment as servers, routers, 
firewalls, UPSs, and power cords that were owned by very large dot-com com- 
panies. All this equipment was completely exposed to anyone walking in that 
area. A quick flip of a switch or an accidental trip over a network cable dan- 
gling to the floor could bring an entire shelf — and a global e-commerce site — 
to the ground. 



Office layout and usage 

Office design and usage can either help or hinder physical security. 

Hackers may exploit some office vulnerabilities. Consider these attack points: 

Does a receptionist or security guard monitor traffic in and out? 

Do employees have confidential information on their desks? What about 
mail and other packages — do they lie around outside someone's door 
or, even worse, outside the building, waiting for pickup? 

Where are trash cans and dumpsters located? Are they easily accessible 
by anyone? Are recycling bins or shredders used? Open recycling bins 
and other careless handling of trash are open invitations for dumpster 
diving — in which hackers search for confidential company information 
in phone lists and memos in the trash. Dumpster diving can lead to 
many security exposures. 

How secure are mail and copy rooms? If hackers can access these 
rooms, they can steal mail or company letterhead to use against you. 

V Are closed-circuit television (CCTV) cameras used and monitored? 

What access controls are on doors and windows? Are regular keys, card 
keys, combination locks, or biometrics used? Who can access these keys, 
and where are they stored? Keys and programmable keypad combinations 
are often shared among users, making accountability difficult to deter- 
mine. Find out how many people share these combinations and keys. 

Countermeasures 

Simple measures can reduce your exposure to office vulnerabilities: 



Chapter 6: Physical Security 



DropBoo 





A receptionist or a security guard who monitors people coming and going. 
This is the most critical countermeasure. This person can ensure that 
y visitor signs in and that all new or untrusted visitors are always 
rted. 

Make it policy and procedure for all employees to question strangers 
and report strange behavior in the building. 

Employees Only or Authorized Personnel Only signs show the bad guys 
where they should go instead of deterring them from entering. 

j** CCTV cameras. 

f" Single entry/exit points to a building or computer room. 
Secure areas for dumpsters. 

Cross-cut shredders or secure recycling bins for hard-copy documents. 

i>* Limited numbers of keys and pass-code combinations. 

Make keys and pass codes unique for each person, whenever possible. 

i>* Biometrics identification systems can be very effective, but they can 
also be expensive and difficult to manage. 



NeWork components and computers 

After hackers obtain physical access to a building, they look for the computer 
room and other easily accessible computer and network devices. 

Attack points 

The keys to the kingdom are often as close as someone's desktop computer 
and not much farther than an unsecured computer room or wiring closet. 

Malicious intruders can do the following: 

i>* Obtain network access and send malicious e-mails as a logged-in user. 

Steal files from the computer by copying them onto a floppy disk or USB 
drive, or by e-mailing them to an external address. 

Enter unlocked computer rooms and mess around with servers, firewalls, 
and routers. 

v 0 Walk out with network diagrams, contact lists, and business-continuity 
and incident-response plans. 

i>* Obtain phone numbers from analog lines and circuit IDs from Tl, frame- 
relay, and other telecom equipment for future attacks. 



Part II: Putting Ethical Hacking in Motion 



pBooks- 

monil 



Practically every bit of unencrypted information that traverses the network 
can be recorded for future analysis through one of the following methods: 



-JftNG/ 



ecting a computer running network-analyzer software to a hub, 
monitor, or mirrored port on a switch on your network 

f Installing network-analyzer software on an existing computer. 

This is very hard to spot. 



How would hackers access this information in the future? 



V The easiest attack method is to either install remote-administration soft- 
ware on the computer or dial into a modem by using VNC or 
pcAnywhere. 

A crafty hacker with enough time can bind a public IP address to the 
computer if it's outside the firewall. Hackers with enough network 
knowledge can configure new firewall rules to do this. 



Also consider these other vulnerabilities: 



*** How easily can someone's computer be accessed during regular hours? 
During lunchtime? After hours? 

is* Are servers, firewalls, routers, and switches mounted in locked racks? 

Are computers — especially laptops — secured to desks with locks? 

Are passwords stored on sticky notes on computer screens, keyboards, 
or desks? 

«" Are backup media lying around the computer room susceptible to theft? 

v 0 Are media safes used to protect backup media? Who can access the safe? 

«>* How are laptops and hand-held computers handled in-house and when 
employees are working from home or traveling? Are personal digital 
assistants (PDAs) and cell phones sitting around unsecured? These 
devices are often at great risk because of their size and value. Also, they 
are typically unprotected by the organization's regular security controls. 
Are specific policies and technologies in place to help protect them? Is 
locking laptop bags and PDA cases required? What about power-on pass- 
words? Also consider encryption in case these devices get into a 
hacker's hands. 

How easily can someone access a wireless access point (AP) signal or the 
AP itself to join the network? 

Are network firewalls, routers, switches, and hubs (basically, anything 
with an Ethernet connection) easily accessible, which would enable a 
hacker to plug into the network easily? 



Chapter 6: Physical Security 



Are all cables patched through on the patch panel in the wiring closet so 
t$~L all network drops are live? 



pftooks 

I V Are ( 



is very common but a bad idea. 



cable traps/locks in place that prevent hackers from unplugging net- 
work cables from patch panels or computers to use those connections 
for their own computers? 



Countermeasures 

Network and computer security countermeasures are some of the simplest to 
implement, yet the most difficult to enforce because they involve everyday 
actions. Here is a rundown of these countermeasures: 



f* Require users to lock their screens — which usually takes a few clicks or 
keystrokes in Windows or UNIX — to keep intruders out of their systems. 

Ensure that strong passwords are used (as covered in Chapter 7). 

V Require laptop users to lock their systems to their desks with a locking 
cable. This is especially important in larger companies or locations that 
receive a lot of foot traffic. 

f* Keep computer rooms and wiring closets locked, and monitor those 
areas for malicious wrongdoings. 

f* Keep a current inventory of hardware and software within the organiza- 
tion — especially in computer rooms — so it's easy to determine when 
extra equipment appears or other equipment is missing. 

V 0 Properly secure computer media — such as floppy disks, CD-ROMs, 
tapes, and hard drives — when stored and during transport. 

Use a bulk eraser on magnetic media before it's discarded. 



Part II: Putting Ethical Hacking in Motion 



DropBooks 




DropBooks 



Chapter 7 



Passwords 



In This Chapter 

Identifying password vulnerabilities 

Examining password-hacking tools and techniques 

Hacking operating-system passwords 

Hacking password-protected files 

Protecting your systems from password hacking 



#«/assword hacking is one of the easiest and most common ways hackers 
V obtain unauthorized computer or network access. Although strong pass- 
words that are difficult to crack (or guess) are easy to create and maintain, 
users often neglect this. Therefore, passwords are one of the weakest links in 
the information-security chain. Passwords rely on secrecy. After a password 
is compromised, its original owner isn't the only person who can access the 
system with it. That's when bad things start happening. 

Hackers have many ways to obtain passwords. They can glean passwords 
simply by asking for them or by looking over the shoulders of users as they 
type them in. Hackers can also obtain passwords from local computers by 
using password-cracking software. To obtain passwords from across a net- 
work, hackers can use remote cracking utilities or network analyzers. 

This chapter demonstrates just how easily hackers can gather password 
information from your network. I outline common password vulnerabilities 
that exist in computer networks and describe countermeasures to help pre- 
vent these vulnerabilities from being exploited on your systems. 

If you perform the tests and implement the countermeasures outlined in this 
chapter, you're well on your way to securing your systems' passwords. 



When you balance the cost of security and the value of the protected infor- 
mation, the combination of user ID and secret password is usually adequate. 




Password Vulnerabilities 



Part II: Putting Ethical Hacking in Motion 



pBoaks 

One bia di 



However, passwords give a false sense of security. The bad guys know this 
and attempt to crack passwords as a step toward breaking into computer 



One big problem with relying solely on passwords for information security is 
that more than one person can know them. Sometimes, this is intentional; 
^VftBEy? often, it's not. You can't know who has a password other than the owner. 



Knowing a password doesn't make someone an authorized user. 

Here are the two general classifications of password vulnerabilities: 

Organizational or end-user vulnerabilities: This includes lack of pass- 
word awareness on the part of end users and the lack of password poli- 
cies that are enforced within the organization. 

Technical vulnerabilities: This includes weak encryption methods and 
insecure storage of passwords on computer systems. 

Before computer networks and the Internet, the user's physical environment 
was an additional layer of password security. Now that most computers have 
network connectivity, that protection is gone. 



Organizational password Vulnerabilities 

It's human nature to want convenience. This makes passwords one of the eas- 
iest barriers for an attacker to overcome. Almost 3 trillion (yes, trillion with a 
t and 12 zeros) eight-character password combinations are possible by using 
the 26 letters of the alphabet and the numerals 0 through 9. However, most 
people prefer to create passwords that are easy to remember. Users like to 
use such passwords as "password," their login name, or a pet's name. 

Unless users are educated and reminded about using strong passwords, their 
passwords usually are 

j*" Weak and easy to guess. 
Seldom changed. 

Reused for many security points. When bad guys crack a password, they 
try to access other systems with the same password and user name. 

is* Written down in nonsecure places. The more complex a password is, the 
more difficult it is to crack. However, when users create more complex 
passwords, they're more likely to write them down. Hackers can find 
these passwords and use them against you. 



Chapter 7: Passwords 



p! 




y in Windows password vulnerabilities 
with Philippe Oechslin 



In this case study. Dr. Philippe Oechslin, a 
researcher and independent information secu- 
rity consultant, shared with me his recent 
research findings on Windows password 
vulnerabilities. 

The Situation 

In 2003, Dr. Oechslin discovered a new method 
for cracking Windows passwords. While test- 
ing a brute-force password-cracking tool, he 
thought it was a waste of time for everyone 
using the same tool to have to generate the 
same hashes over and over again. He believed 
that generating a huge dictionary of all possible 
hashes would make it easier to crack Windows 
passwords, but then he quickly realized that a 
dictionary of the LAN Manager (LM) hashes of 
all possible alphanumerical passwords would 
require over a terabyte of storage. 

During his research, Dr. Oechslin discovered a 
technique called time-memory trade-offs, 
where hashes are computed in advance but 
only a small fraction are stored (approximately 
one in a thousand). He discovered that how the 
LM hashes are organized allows you to find any 
password if you spend sometime recalculating 
some of the hashes. This technique saves 
memory but takes a lot of time. Studying this 
method, he found a way to make it more effi- 
cient, making it possible to find any of the 80 bil- 
lion unique hashes by using a table of 250 million 
entries (1 GB worth of data) and performing only 
4 million hash calculations. This process is 
much faster than a brute-force attack, which 
must generate 50 percent of the hashes (40 bil- 
lion) on average. 

This research is based on the absence of a 
random element when Windows passwords are 
hashed. This is true for both the LM hash and 
the NT hash built into Windows. As a result, the 



same password produces the same hash on 
any Windows machine. Although it is known 
that Windows hashes have no random element, 
no one has used a technique like the one that 
Dr. Oechslin discovered to crack Windows 
passwords. 

For a short time. Dr. Oechslin and his team had 
an interactive tool on their Web site 
(1 asecwww . epf 1 . ch) that enabled visitors to 
submit hashes and have them cracked. Over a 
six-day period, the tool cracked 1,845 pass- 
words in an average of 7.7 seconds! They deac- 
tivated the demo after a week (and a million hits) 
and did not release the tool because they didn't 
want to help hackers. Dr. Oechslin did say that 
he has heard about other tools (such as 
RainbowCrack) that use the same method but 
are being developed independently. 

The Outcome 

So what's the big deal, you say? This password- 
cracking method can crack any alphanumerical 
password in a few seconds, whereas current 
brute-force tools can take several hours. Dr. 
Oechslin and his research team have generated 
a table with which they can crack any pass- 
word made of letters, numbers, and 16 other 
characters in less than a minute, demonstrating 
that passwords made up of letters and numbers 
aren't good enough. He also stated that this 
method is useful for ethical hackers who have 
only limited time to perform their testing. 
Unfortunately, hackers have the same benefit 
and can perform their attacks before anyone 
detects them! 

Philippe Oechslin, PhD, CISSP, is a lecturer and 
senior research assistant at the Swiss Federal 
Institute of Technology in Lausanne and spends 
his spare time as an independent information- 
security consultant. 



Part II: Putting Ethical Hacking in Motion 



pBoofe 



Technical password Vulnerabilities 



jften find these serious technical vulnerabilities after exploiting 
tional password vulnerabilities: 



Weak password-encryption schemes. Hackers can break weak password 
storage mechanisms by using cracking methods that I outline in this 
chapter. Many vendors and developers believe that passwords are safe 
from hackers if they don't publish the source code for their encryption 
algorithms. Wrong! A persistent, patient hacker can usually crack this 
security by obscurity fairly quickly After the code is cracked, it is soon 
distributed across the Internet and becomes public knowledge. 

Password-cracking utilities take advantage of weak password encryption. 
These utilities do the grunt work and can crack any password, given 
enough time and computing power. 

Software that stores passwords in memory and easily accessed databases. 
End-user applications that display passwords on the screen while typing. 

The ICAT Metabase (an index of computer vulnerabilities) currently identifies 
over 460 technical password vulnerabilities, 230 of which are labeled as high- 
severity. You can search for some of these issues at icat.nist.gov/icat. 
cf m to find out how vulnerable some of your systems are from a technical 
perspective. 



Cracking Passwords 



Password cracking is one of the most enjoyable hacks for the bad guys. It fuels 
their sense of exploration and desire to figure things out. You may not have 
a burning desire to explore everyone's passwords, but it helps to approach 
password cracking with this thinking. So where should you start hacking the 
passwords on your systems? Generally speaking, any user's password works. 
After you obtain one password, you can obtain others — including adminis- 
trator or root passwords. 

Administrator passwords are the pot of gold. With unauthorized administrative 
access, you can do virtually anything on the system. When looking for your 
organization's password vulnerabilities, I recommend first trying to obtain 
the highest level of access possible (such as administrator) through the most 
discreet method possible. That's what the hackers do. 



You can use low-tech ways and high-tech ways to exploit the vulnerabilities and 
obtain passwords. For example, you can deceive users into divulging pass- 
words over the telephone or simply observe what a user has written down on 
a piece of paper. Or you can capture passwords directly from a computer or 
over a network or the Internet with tools covered in the following sections. 



Chapter 7: Passwords 




Cracking passwords the old-fashioned u/ay 

1 1 fj [J fj r% Y\te< can use low-tech methods to crack passwords. These methods 
^"^ Tn<!lurjWising social-engineering techniques, shoulder surfing, and simply 

guessing passwords from information that you know about the user. 

Social engineering 

The most popular low-tech method is social engineering, which is covered in 
detail in Chapter 5. Social engineering takes advantage of the trusting nature 
of human beings to gain information that can later be used maliciously. 

Techniques 

To obtain a password through social engineering, you just ask for it. For 
example, you can simply call a user and tell him that he has some important- 
looking e-mails stuck in the mail queue and you need his password to log in 
and free them up. This is how hackers try to get the information! 

If your colleague gives you his password, make sure that he changes it. 

Countermeasures 

User awareness is the best defense against social engineering. Train users 
to spot attacks (such as suspicious phone calls or deceitful e-mails) and 
respond effectively. Their best response is to not give out any information 
and to alert the appropriate information-security officer in the organization 
to see whether the inquiry is legitimate and whether a response is necessary. 
For this defense to be successful, the organization must enforce a security 
policy and provide ongoing security-awareness training to users. 

Shoulder surfing 

Shoulder surfing is an effective, low-tech password hack. 
Techniques 

To mount this attack, you must be near the user and not look obvious. Simply 
watch either the user's keyboard or screen when logging in. 

A hacker with a good eye may watch whether the user is glancing around his 
desk for either a reminder of the password or the password itself. 

Many folks have experienced shoulder surfing at the grocery-store checkout 
line. You swipe your debit card to pay for your chips and dip; you enter your 
PIN to authorize the transaction; and before you know it, the guy in line 
behind you has your PIN! He simply watched you enter it into the keypad. 

You can try shoulder surfing yourself — though preferably not in the grocery- 
store checkout line. Just walk around the office and perform random spot 
checks. Go to users' desks, and ask them to log in to their computers, the 



Part II: Putting Ethical Hacking in Motion 



doing Deic 

DropBoOte 



network, or even their e-mail applications. Just don't tell them what you're 
doing beforehand, or they'll be on to you and attempt to hide what they're 
where they're looking for their password — two things that they 
been doing all along! 



Countermeasures 

Encourage users to be aware of their surroundings and not enter their pass- 
words when they suspect that someone is looking over their shoulder. 
Instruct users that if they suspect someone is looking over their shoulder 
while they're logging in, they should politely ask the person to look away. 



Inference 

Inference is simply guessing passwords from information you know about 
users — such as their date of birth, favorite television show, and phone num- 
bers. It sounds silly, but you can determine passwords by guessing! 

The best defense against an inference hack attack is to educate users about 
creating secure passwords that do not include information that can be asso- 
ciated with them. You can't easily enforce this practice with technical con- 
trols, so you need a sound security policy and ongoing awareness training to 
remind users of the importance of secure password creation. 



Weak authentication 

Hackers can obtain — or simply avoid having to use — passwords by taking 
advantage of older operating systems, such as Windows 9x and Me. These 
operating systems don't require passwords to log in. 

Bypassing authentication 

On a Windows 9x or similar workstation that's prompting for a password, you 
can press Esc on the keyboard to get right in. After you're in, you can find 
other passwords stored in such places as dial-up networking connections 
and screen savers. These weak systems can serve as trusted machines — 
meaning that it's assumed that they're secure — and provide good launching 
pads for network-based password attacks as well. 



Coun termeasures 

The only true defense against this hack is to not use operating systems that 
employ weak authentication. To eliminate this vulnerability, upgrade to 
Windows XP, or use Linux or the flavors of UNIX, including Mac OS X. 




More modern authentication systems (such as Kerberos, which is used in 
newer versions of Windows), directory services (such as Novell's eDirectory), 
and network-based e-mail systems (such as Exchange) encrypt user passwords 
or don't communicate the passwords across the network. These measures 
create an extra layer of security, but these authentication systems still have 
some vulnerabilities, which I discuss shortly. 



Chapter 7: Passwords 



High-tech password cracking 



password cracking involves using a program that tries to guess a 
r d by determining all possible password combinations. These high- 
tech methods are mostly automated after you access the computer and pass- 
word database files. 




Password cracking software 

You can try to crack your organization's operating-system and Internet- 
application passwords with various password cracking tools: 

f" LC4 (previously called LOphtcrack) can sniff out password hashes from 
the wire. Go to www .atstake. com/ research/ lc 

u 0 NetBIOS Auditing Tool (NAT) specializes in network-based password 
attacks. Go to www .security focus, com /tool s/543 

u 0 Chknull (www .phreak.org/archives/exploits/novell) for Novell 
NetWare password testing 

u 0 These tools require physical access on the tested computer: 

• John the Ripper (www . openwa 1 1 . com/ j ohn) 

• pwdump2 (razor. bindview. com/tool s/desc/pwd urn p2_ 
readme . html) 

• Crack (coast.cs.purdue.edu/pub/tools/unix/pwdutils/ 
crack) 

• Brutus (www .hoobie.net/brutus) 

• Pandora (www .nmrc.org/project/pandor a) 

• NTFSDOS Professional (www .winternals .com) 
u 0 Various other handy password tools exist, such as 

• GetPass for decrypting login passwords for Cisco routers (www . 
boson. com/promo/utiliti es/getpass/getpass_uti 1 i ty . htm) 

• Win Sniffer for capturing FTP, e-mail, and other types of passwords 
off the network 

• Cain and Abel for capturing, cracking, and even calculating various 
types of passwords on a plethora of systems (www .oxid.it/ 
cai n . html) 

You may be wondering what value a password-cracking tool offers if you need 
physical access to your systems to test them. Some would say that if a hacker 
can obtain physical access to your systems and password files, you have 
more than just basic information-security problems to worry about. But this 
kind of access is entirely possible! What about a summer intern, a disgruntled 
employee, or an outside consultant with malicious intent? 



Part II: Putting Ethical Hacking in Motion 



pBo 



Password-cracking utilities take a set of known passwords and run them 
through a password-hashing algorithm. The resulting hashes — or an 

id form of a data set — are then compared at lightning speed to the 
hashes extracted from the original password database. When a 
match is found between the newly generated hash and the hash in the origi- 
nal database, the password has been cracked. It's that simple. 



Other password-cracking programs simply attempt to logon using a prede- 
fined set of user IDs and passwords. In fact, NAT can do just that. NAT takes 
advantage of some known weaknesses in Microsoft's Server Message Block 
(SMB) protocol, which is used for file and print sharing. 

Try running NAT in a real-world scenario. Simply download NAT from the pre- 
ceding address, and extract it to a temporary directory on your hard drive. 
NAT comes with some predefined usernames and passwords in the userl i st . 
txt and passl i st . txt files, but you can modify them or add your own. For 
a quick test of a Windows NT or 2000 machine across the network, enter this 
basic NAT command at a command prompt: 

nat -u userlist.txt -p passlist.txt IP_address_of_the_computer_you' re_testing 



Figure 7-1 shows the output of my test server when I ran NAT against it. NAT 
used the default password list to crack the administrator password in just a 
few seconds. If you don't have any luck, consider using one of the dictionary 
files listed in the next section. Just give the test some time. If you use one of 
the larger lists, the process may take quite a while. 




Checking ho si 

— Obtaining ii: 

— Remote systei 

hi Ma 

D0NFIIN1 

06_f1SBROWSE_l 
ADMINISTRATOR 



IB. 11. 12. 200 
of remote NetBIOS 
: name tables : 



Figure 7-1: 

Output from 
the NetBIOS 
Auditing 
Tool. 



iect uith name: UINNT 
te: UINNT 

,ect uith protocol: MICROSOFT NETWORKS 1.03 
< Aug 3 12:33:00 2003 



- Attempting to c 
CONNECTED with 

- Attempting to e 
] Uas not able to 

- Attempting to c 

- Attempting to c 

I Attempting to c 

CONNECTED: Use» 
|C : Spas s words > 



innect uith name 
ane: UINNT 
tablish session 

innect uith User 

innect uith User 



encrypt, telling it not to 
UINNT 



' ADMINISTRATOR' 
' ADMINISTRATOR' 



ssuord: 'admini: 
ssuord: 'passwo: 
ssuord: 'share' 



Passwords that are subjected to cracking tools eventually lose. You have 
access to the same tools as the bad guys. These tools can be used for both 
legitimate auditing and malicious attacks. You want to audit your passwords 
before the bad guys do, and in this section, I show you some of my favorite 
methods for auditing Windows and Linux/UNIX passwords. 



Chapter 7: Passwords 






When trying to crack passwords, the associated user accounts may be locked 
out, which could interrupt your users. Be careful if you have intruder lockout 
■ you may have to go back in and reenable locked accounts. 



Passwords are typically stored on a computer in an encrypted fashion, using 
an encryption or one-way hash algorithm such as DES or MD5. Hashed pass- 
words are then represented as fixed-length encrypted strings that always rep- 
resent the same passwords with exactly the same strings. These hashes are 
irreversible for all practical purposes, so passwords can never be decrypted. 

Password storage locations vary by operating system: 



*** Windows usually stores passwords in these locations: 

• Security Accounts Manager (SAM) database 

(c:\winnt\system32\config) 

• Active Directory database file that's stored locally or spread across 
domain controllers (ntds . di t) 

Windows sometimes stores passwords in either a backup of the SAM file 
inthec:\winnt\repair directory or on an emergency repair disk. 

Some Windows applications store passwords in the Registry or as plain- 
text files on the hard drive! 

Linux and other UNIX variants typically store passwords in these files: 

• /etc/passwd (readable by everyone) 

• /etc/shadow (accessible by root only) 

• /etc/securi ty /passwd (accessible by root only) 

• / . secure/etc/passwd (accessible by root only) 



Two high-tech password-cracking methods are dictionary attacks and brute- 
force attacks. 



Dictionary attacks 

Dictionary attacks against passwords quickly compare a set of words — 
including many common passwords — against a password database. This 
database is a text file with thousands of words typically listed in alphabetical 
order. For instance, suppose that you have a dictionary file that you down- 
loaded from one of the sites in the following list. The English dictionary file at 
the Purdue site contains one word per line starting with 10th, 1st . . . all the 
way to zucchini and zygote. 

Many password-cracking utilities can use a separate dictionary that you 
create or download from the Internet. Here are some popular sites that 
house dictionary files and other miscellaneous word lists: 



Part II: Putting Ethical Hacking in Motion 



pBoofc® 



*>*ftp://ftp.cerias.purdue.edu/pub/dict 
ftp://ftp.ox.ac.uk/pub/wordlists 

etstormsecurity.nl/Crackers/wordlists 
V www .outpost9.com/files/WordLists. html 



Most dictionary attacks are good for weak (easily guessed) passwords. 
However, some special dictionaries have common misspellings of words such 
as pa$$wOrd (password) and 5ecurlty (security), non-English words, and the- 
matic words from religions, politics, or Star Trek. 



j0* 



Brute-force attacks 

Brute-force attacks can crack any password, given sufficient time. Brute-force 
attacks try every combination of numbers, letters, and special characters 
until the password is discovered. Many password-cracking utilities let you 
specify such testing criteria as the characters and password length to try. 

A brute-force test can take quite a while, depending on the number of accounts, 
their associated password complexities, and the speed of the computer that's 
running the cracking software. 

Smart hackers attempt logins slowly or at random times so the failed login 
attempts aren't as predictable or obvious in the system log files. Some mali- 
cious users may even call the IT help desk to attempt a reset of the account 
they've just locked out. This social-engineering technique could be a major 
issue, especially if the organization has no or minimal mechanisms in place to 
verify that locked-out users are who they say they are. 

Can an expiring password deter a hacker's attack and render password- 
cracking software useless? Yes. After the password is changed, the cracking 
must start again if the hacker wants to test all the possible combinations. 
This is one reason why passwords must be changed periodically. Shortening 
the change interval can reduce the risk of a password's being cracked. 

Exhaustive password-cracking attempts usually aren't necessary. Most pass- 
words are fairly weak. Even minimum password requirements, such as a pass- 
word length, can help you in your testing; you may be able to give your 
cracking programs more defined cracking parameters, which eliminates com- 
binations for faster results. 



Crackinq passwords With putdump2 and John the Ripper 

The following steps use two of my favorite utilities to test the security of cur- 
rent passwords on Windows systems: 



Chapter 7: Passwords 



pwdump2 (to extract password hashes from the Windows SAM database) 
■-^ tr* John the Ripper (to crack the hashes of Windows and UNIX passwords) 

^ 1^ ^3 ^^rfisS^? requires administrative access to either your Windows NT/2000 
stand-alone workstation or server: 

1. Create a new directory called pas swords from the root of your 
Windows C: drive. 

2. Download and install a decompression tool, if you don't have one. 

FreeZip (members . ozemai 1 .com . au/~nul i f etv/f reezi p) and IZArc 
(www .web attack . com/get/ izarc.shtml) are free Windows decom- 
pression tools. Windows XP includes built-in decompression. 

3. Download, extract, and install the following software, if you don't 
already have it on your system: 

• pwdump2 — download the file from razor . bi ndvi ew . com/ 
tool s/desc/pwdump2_readme .html 

• John the Ripper — download the file from www . openwal 1 . com/ John 

4. Enter the following command to run pwdump2 and redirect its output 
to a file called cracked . txt: 

pwdump2 > cracked.txt 

This file will be used to store the Windows SAM password hashes that 
will later be cracked with John the Ripper. Figure 7-2 shows the contents 
of the cracked . txt file that contains the local Windows SAM-database 
password hashes. 




Figure 7-2: 

Output from 
pwdump2. 



I C: WINNT\system32\tmd.ef 



C:\pass words >t ype cracked.txt 

Firtr.iinisti-atoi-:S00:d480ea9533c500d4aad3b435b51404ee:3291S3f560eb329c0eldeeaS5e88a 
le9::: 

" :L:501:e52cac67419a9a224a3bl08f3fa6cb6d:8846f7eaee8f bll7ad0&bdd830b7G86c : : : 
joeblou: 1006 :dl50elaf c5f 5a788aad:)b435h51404ee : d61a0F98al23024860f ef elf 95412992:: 

>nith:1005:aad3b435b51404eeaad3b43Sb51404ee:31d6cfe0dl6ae93ib73c59d7e0c089c0::: 

Lano:1003:18ea78f4efaf573faad3b435b51404ee:bclcda67bad80d40040cd5eeclf95b48::: 
5uperPouerUser:1004:le631686f73b2462aad3b435b51404ee:725aa7celf 9d2487891d6838252 
lfd6f ::: 



5. Enter the following command to review the contents from the resulting 
hashes: 

type cracked.txt 

All the users on your system are listed (similar to Figure 7-3), whether 
you run this on a stand-alone Windows NT/2000 system or Windows 
Primary Domain Controller (PDC). 



Part II: Putting Ethical Hacking in Motion 



Fig ure 7-3: 

I pal fwoJa 

file hashes 
from 
pwdump2. 



!' : ■■ C:\WlNNT\syste 


n32\tmd.ene 


BI-IE3 


IKS 


ohn cracked.txt 

ot-ds with no different salts <NT LM DES [24/32 4K1> 
<Guest:i> 
<Lanto :1> 
<joeblow:l> 






ROOT 

&UFF ^ 


<fldninistrator:l> 
<SuperPouerUser:l> 
roe: 0:00:00:05 <3> c/s : 319789 trying: SUM! - RM45 






k;:\passuords>. 






- 




6. Enter the following command to run John the Ripper against the 
Windows SAM password hashes to display the cracked passwords: 

John cracked.txt 

You should see something similar to the following: 

Loaded 3 passwords with no different salts (Nf LM DES [24/32 4K]) 
123 (Weak: 1) 

PASS (Newuser:l) 
GUESS (Lame:l) 

guesses: 3 tine: 0:00:00:00 (3) c/s: 165146 trying: SAMELL - SANDIf 

This process can take seconds or days, depending on the number of 
users and the complexity of their associated passwords. My Windows 
example took only five seconds to crack five weak passwords. 

John the Ripper can crack UNIX passwords. You need root access to your 
system and to the password (/etc/passwd) and shadow password 
(/etc /shadow) files. Perform the following steps for cracking UNIX 
passwords: 

1. Download the UNIX source files from www. openwal 1 .com/john. 

2. Extract the program by entering the following command: 

tar -zxf john-1 . 6 . tar . gz 

3. Change into the /s rc directory that was created when you extracted 
the program, and enter the following command: 

make generic. 

4. Change into the /run directory, and enter the following command to 
use the unshadow program to combine the passwd and shadow files 
and copy them to the file cracked . txt: 

./unshadow /etc/passwd /etc/shadow > cracked.txt 

5. Enter the following command to start the cracking process: 

./john cracked.txt 

When John the Ripper is complete (and this could take some time), you 
get an output similar to the results of the preceding Windows process. 



Chapter 7: Passwords 



After completing the preceding Windows or UNIX steps, you can either 



ipBocte 



e users to change passwords that don't meet specific password 
y requirements. 




i>* Create a password policy from scratch. 

Be careful handling the results of your password cracking. Password informa- 
tion for others is confidential and should be treated with care. 

Checking for null passwords in NetWare 

Using the chknull program, you can test for NetWare users that have empty 
passwords, passwords that match their username, or passwords that match 
a specific password that you supply on the command line. Figure 7-4 shows 
the output of a chknull session against a NetWare server without being logged 
in: Four users have blank passwords, three users have the password "123," 
and one user's password is the same as his username (avadminuser). 



Figure 7-4: 

NetWare 
password 
weaknesses 
found with 
chknull. 



■chknull -p 123 

37800000 0001 JOHNNYD HrS a NULL password 

301 DOCTORX HfiS a NULL password 

301 NIKK1 HAS a NULL password 

301 MAHV HAS a NULL password 

'OUND 3e800000 0001 Hlt.l.V : 123 

?OUND 3f800000 0001 GONDMfiN : 123 

-OUND 40800000 0001 KBE8UER : 123 

?OUND 43800000 0001 HUADMI NUS ER : HU8DF11 NUSER 




General pa$su}ord*hackinq 
countermeasures 

A password for one system usually equals passwords for many other sys- 
tems, because many people use the same passwords on every system they 
use. For this reason, instruct users to create different passwords for different 
systems, especially on the systems that protect more sensitive information. 

Strong passwords are important, but balance security and convenience: 



You can't expect users to memorize passwords that are insanely com- 
plex and changed every week. 

You can't afford weak passwords or no passwords at all. 



Part II: Putting Ethical Hacking in Motion 




Passwords by the numbers 



rneTTnncTredTwenty-eight different ASCII char- 
acters are used in typical computer passwords. 
(Technically, only 126 characters are used, 
because you can't use the NULL and the car- 
riage return characters.) A truly random eight- 
character password that uses 126 different 
characters can have 63,527,879,748,485,376 dif- 
ferent combinations. Taking that a step further, 
if it were possible (and it is, in Linux and UNIX) 
to use all 256 ASCII characters (254, without 
NULL and carriage return) in a password, 
17,324,859,965,700,833,536 different combina- 
tions are possible. This is approximately 2.7 bil- 
lion times more combinations than there are 
people on earth! 

A text file containing all these possible pass- 
words would require millions of terabytes of 
storage space. Even if you included just the 



more realistic combination of 95 or so ASCII let- 
ters, numbers, and standard punctuation char- 
acters, such a file would still fill thousands of 
terabytes of storage space. These storage 
requirements require password-cracking pro- 
grams to form the password combinations on 
the fly, instead of reading all possible combina- 
tions from a text file. That's why brute-force 
attacks are more effective at cracking pass- 
words than dictionary attacks. 

Given the effectiveness of brute-force pass- 
word attacks, it's not unrealistic to think that in 
the future, anyone will be able to crack all pos- 
sible password combinations, given the current 
technology and average lifespan. It probably 
won't happen, but many of us also thought in the 
mid-1980s that 640KB of RAM and 10MB hard 
drives in our PCs were all we needed. 



Storing passwords 

If you have to choose between weak passwords that your users can memo- 
rize and strong passwords that your users must write down, I recommend 
having readers write down passwords and store the information securely. 
Train users to store their written passwords in a secure place — not on key- 
boards or in easily cracked password-protected computer files (such as 
spreadsheets). Users should store a written password in either of these 
locations: 



4* 



f A locked file cabinet or office safe 
is 0 An encrypted file or database, using such tools as 

• PGP (www . pgpi .org for the free open-source version or www. 
pgp . com for the commercial version) 

• Open-source Password Safe, originally developed by Counterpane 

(passwordsafe.sourceforge.net) 

No sticky notes! 



Policy considerations 

As an ethical hacker, you should show users the importance of securing their 
passwords. Here are some tips on how to do that: 



Chapter 7: Passwords 



pBocte 



I Demonstrate how to create secure passwords. You may want to refer to 
them as pass codes or pass phrases, because people tend to take the 
passwords literally and use only words, which can be less secure. 



what can happen when weak passwords are used or passwords 
are shared. 

f* Diligently build user awareness of social-engineering attacks. 

Enforce (or encourage the use of) a strong password-creation policy that 
includes the following criteria: 



Use upper- and lowercase letters, special characters, and numbers. 
(Never use only numbers. These passwords can be cracked quickly.) 

V Misspell words or create acronyms from a quote or a sentence. (An 
acronym is a word created from the initials of a phrase. For example, 
ASCII is an acronym for American Standard Code for Information 
Interchange.) 

V Use punctuation characters to separate words or acronyms, 
f Change passwords every 6 to 12 months. 

i>* Use different passwords for each system. This is especially important 
for network-infrastructure hosts, such as servers, firewalls, and routers. 

v 0 Use variable-length passwords. This can throw off the hackers, because 
they won't know the required minimum or maximum length of passwords 
and must try all password length combinations. 

Don't use common slang words or words that are in a dictionary. 

it* Don't use similar-looking characters, such as 3 instead of E, 5 instead 
of 5, or .' instead of 1. Password-cracking programs can check for this. 

is* Don't reuse the same password within 12 months. 

W Use password-protected screen savers. 

v 0 Don't share passwords. 

Avoid storing user passwords in a central place, such as an unsecured 
spreadsheet on a hard drive. This is an invitation for disaster. Use PGP, 
Password Safe, or a similar program to store user passwords. 

Other considerations 

Here are some other password-hacking countermeasures that I recommend: 



v* Enable security auditing to help monitor and track password attacks. 

Test your applications to make sure they aren't storing passwords in 
memory or writing them to disk. 



Part II: Putting Ethical Hacking in Motion 




Some password-cracking Trojan-horse applications are transmitted 
through worms or simple e-mail attachments, such as VBS . Network . B and 
,teal .SoapSpy. These applications can be lethal to your password- 
ection mechanisms if they're installed on your systems. The best 
defense is malware protection software, such as antivirus protection 
(from a vendor like Norton or McAfee), spyware protection (such as 
PestPatrol or Spybot), or malicious-code behavioral protection (such 
as Finjan's offerings). 

Keep your systems patched. Passwords are reset or compromised 
during buffer overflows or other DoS conditions. 

Know your user IDs. If an account has never been used, delete or 
disable the account until it's needed. You can determine unused 
accounts by manual inspection or by using a tool such as DumpSec 
(www . somarsof t . com), which can enumerate the Windows operating 
system and gather user ID and other information. 



As the security administrator in your organization, you can enable account 
lockout to prevent password-cracking attempts. Most operating systems and 
some applications have this capability. Don't set it too low (less than five failed 
logins), and don't set it too high to give a malicious user a greater chance of 
breaking in. Somewhere between 5 and 50 may work for you. I usually recom- 
mend a setting of around 10 or 15. 

To use account lockout and prevent any possibilities of a user DoS con- 
dition, require two different passwords, and don't set a lockout time for 
the first one. 

i>* If you permit auto reset of the account after a certain time period — 
often referred to as intruder lockout — don't set a short time period. 
Thirty minutes often works well. 

A failed login counter can increase password security and minimize the over- 
all effects if the account is being compromised by an automated attack. It can 
force a password change after a number of failed attempts. If the number of 
failed login attempts is high, and they all occurred in a short period of time, 
the account has likely experienced an automated password attack. 

Some more password-protection countermeasures include the following: 

i>* Use stronger authentication methods, such as challenge/response, smart 
cards, tokes, biometrics, or digital certificates. 

Automate password reset. This functionality lets users to manage most 
of their password problems without getting others involved. Otherwise, 
this support issue becomes expensive, especially for larger organizations. 

Password-protect the system BIOS (basic input/output system). This is 
especially important on servers and laptops that are susceptible to 
physical-security threats and vulnerabilities. 



Chapter 7: Passwords 



pBocfe 



Password-protected files 



onder how vulnerable word-processing, spreadsheet, and zip files 
ers send them into the wild blue yonder? Wonder no more. Some 
great utilities can show how easily passwords are cracked. 



Cracking files 

Most password-protected files can be cracked in seconds or minutes. You can 
demonstrate this "wow-factor" security vulnerability to users and manage- 
ment. Here's a real-world scenario: 



v 0 Your CFO wants to send some confidential financial information in an 
Excel spreadsheet to the company's outside financial advisor. 

She protects the spreadsheet by assigning a password to it during the 
file-save process in Excel 2002. 

v* For good measure, she uses WinZip to compress the file, and adds 
another password to make it really secure. 

*** The CFO sends the spreadsheet as an e-mail attachment, assuming that 
it will reach its destination securely. 

The financial advisor's network has content filtering, which monitors 
incoming e-mails for keywords and file attachments. Unfortunately, the 
financial advisory firm's network administrator is looking in the content- 
filtering system to see what's coming in. 

This rogue network administrator finds the e-mail with the con- 
fidential attachment, saves the attachment, and realizes that it's 
password-protected. 

t<" The network administrator remembers some great password-cracking 
utilities from ElcomSoft (www .el cotnsof t . com) that can help him out. He 
may see something like Figures 7-5 and 7-6. 

Cracking password-protected files is as simple as that! Now all that the rogue 
network administrator must do is forward the confidential spreadsheet to his 
buddies or the company's competitors. 

If you carefully select the right options in Advanced ZIP Password Recovery 
and Office XP Password Recovery, you can drastically shorten your testing 
time. For example, if you know that a password is not over 5 characters or is 
lowercase letters only, you can cut the cracking time in half. 



I recommend performing these file password-cracking tests on files that you 
capture with a content-filtering or network-analysis tool. 



Part II: Putting Ethical Hacking in Motion 



l,-Jl,.|<UMJILM 



•Books 

EnctyptedZIP-file 



Advanced ZIP Passwofd Recovery 



■ © 

Slop Benchma 



13 

About 



Type ot attack 



Password successfully recovered ! 



Advanced Zl P Pa : sword R ecovery statistics: 



y s* 



' U/24,'2UU3 5 « 59 PM Stalling brute-force allacl 

1 0/24/2003 5:49:59 PM - Password successfully recovered ! 

1 0^24/2003 5:49:59 PM - 2003' is a valid password lor this file 

Current password: 2003 Average speed: 

Time elapsed: Time remaining: 

Password length = 4. total: 1 0.000. processed: 2.004 

203; 



346.000 p/s 



AZPR version 3 54 (c) 1 997-2003 ElcomSoft Coltd. 



Total passwords 


3.114 




Total time 


13ms 


Average speed (passwords per second] 


239.538 


Password for this tile 


2003 




Password in HEX 


32 30 30 33 



El 



BBS! 



in 



(#OpenFfe.. - D C* H k 6 It C3 © \ 



0 £s 



C Brute-force attack 

C Brute-lotce with ma: 



C Dictionary attack 



Brute-force j Dictionary ] Auto-save | Options | Benchmark | 
rBfUte-lorce options 



Password length 
M 



Password successfully recovered \ 



Advanced Office XP Password Recovery Professional statistics: 



Current password 



Log window 



Total pass-word-; 



Average speed [passwords per second) 



Password for this file 



F'assword in HEX (Unicode) 
!~" Save in Unicode 

vX OK 



193948430 



1 9m 39s 482ms 

164435 

fich$ 

7200 6900 6300 6800 2400 
y Save... 



: Date. Tin 



| bvent 



5 
3 



$ 10/24/2003 5:54:24 PM Performing autobackup... 

•V 10/24/2003 5:59:24 PM Performing autobackup... 

^ 1 0/24/2003 6:04:04 PM Password successfully recovered ! 

}) 1 0/24/2003 6:04:04 PM 'rich!' is a valid password for this file 



Password length = 5 



Advanced Office XP Password Recovery Professional version 2,00 Copyright © 1999-2002 ElcomSoft Co. Ltd, 



Countermeasures 

The best defense against weak file password protection is to require your 
users to use a stronger form of file protection, such as PGP, when necessary. 
Ideally, you don't want to rely on users to make decisions about what they 
should use this method to secure, but it's better than nothing. Stress that a 
file-encryption mechanism such as PGP is secure only if users keep their 
passwords confidential and never transmit or store them in clear text. 



Chapter 7: Passwords 



DropBooks 

e-ma 



If you're concerned about nonsecure transmissions through e-mail, consider 
one of these options: 



k all outbound e-mail attachments that aren't protected on your 
e-mail server. 

Use an encryption program, such as PGP, to create self-extracting 
encrypted files. 

f Use content-filtering applications. 



Other Mays to crack passwords 

Over the years, I've found other ways to crack passwords, both technically 
and through social engineering. 



Keystroke loqqlnq 

One of the best techniques for cracking passwords is remote keystroke 
logging — the use of software or hardware to record keystrokes as they're 
being typed into the computer. 




Be careful with keystroke logging. Even with good intentions, monitoring 
employees can raise some legal issues. Discuss what you'll be doing with 
your legal counsel, and get approval from upper management. 



Logging toots 

With keystroke-logging tools, you can later assess the log files of your appli- 
cation to see what passwords people are using: 



Keystroke-logging applications can be installed on the monitored com- 
puter. I recommend that you check out eBlaster and Spector Pro by 
SpectorSoft (www . spector soft .com). Another popular tool that you 
can use is Invisible KeyLogger Stealth, at www . ameci sco . com/i ks . htm, 
as well as the hardware-based KeyGhost (www . keyghost .com). Dozens 
of other such tools are available on the Internet. 

Hardware-based tools fit between the keyboard and the computer or 




I replace the keyboard altogether. 
A shared computer can capture the passwords of every user who logs in. 
Countermeasures 



The best defense against the installation of keystroke-logging software on 
your systems is a spyware-detection program or popular antivirus products. 



Part II: Putting Ethical Hacking in Motion 




The potential for hackers to install keystroke-logging software is another 
reason to ensure that your users aren't downloading and installing random 
re or opening attachments in unsolicited e-mails. Consider locking 
jr desktops by setting the appropriate user rights through local or 
group security policy in Windows. Alternatively, you could use a commercial 
lock-down program, such as Fortres 101 (www . f ortres . com) for Windows or 
Deep Freeze (www . deepf reezeusa . com) for Windows and Mac OS X. 



reason 10 e 
^^lLrewtti-e 



Weak password storage 

Many legacy and stand-alone applications such as e-mail, dial-up network 
connections, and accounting software store passwords locally, making them 
vulnerable to password hacking. By performing a basic text search, I've found 
passwords stored in clear text on the local hard drives of machines. 



Searching 

You can try using your favorite text-searching utility — such as the Windows 
search function, findstr,orgrep — to search for password or passwd on your 
drives. You may be shocked to find what's on your systems. Some programs 
even write passwords to disk or leave them stored in memory. 

This is a hacker's dream. Head it off if you can. 

Court ter measures 

The only reliable way to eliminate weak password storage is to use only appli- 
cations that store passwords securely. This may not be practical, but it's your 
only guarantee that your passwords are secure. 



Before upgrading applications, contact your software vendor or search for a 
third-party solution. 



NeMork analyzer 

A network analyzer sniffs the packets traversing the network. This is what the 
bad guys do if they can gain control over a computer or gain physical network 
access to set up their network analyzer. If they gain physical access, they can 
look for a network jack on the wall and plug right in! 

Testing 

Figure 7-7 shows how crystal-clear passwords can be through the eyes of a 
network analyzer. This figure shows the password packet from an EtherPeek 
capture of a POP3 session using Microsoft Outlook to download messages 
from an e-mail server. Look in the POP — Post Office Protocol section for the 
password of "MyPassword". These same clear-text password vulnerabilities 
can apply to instant messaging, Web-site logins, telnet sessions, and more. 
Basically, if traffic is not being tunneled through a VPN, SSH, SSL, or some 
other form of encrypted link, it's vulnerable to attack. 



Chapter 7: Passwords 




capture 
of a P0P3 
password 
packet. 



Transport Control Protocol 



Port: 

(J Destination Port : 
Ninnbei- : 



f Flags 
^ Window: 
Checksum: 
Urgent Pointer : 0 
+ "ip Options : Option Type : 1 Opt: 
PDP ~ Paat OffnB Pfiituful 

< + Line 1: PASS 



2739 tn-tiat. 
110 jdop5 
707436263 
735237598 
8 C52 byte. 
i oooooo 
*011000 
46520 
OxEEOS 



i Type: 1 Option Type: 8 Length: 10 



Although you can benefit from using a commercial network analyzer such as 
EtherPeek, you don't need to buy one for your testing. An open-source pro- 
gram, Ethereal, runs on Windows and UNIX platforms. You can search for 
password traffic on the network a million ways. For example, to capture POP3 
password traffic, set up a trigger to search for the PASS command. When the 
network analyzer sees the PASS command in the packet, it starts capturing 
data until your specified time or number of packets. 

Capture this data on a hub segment of your network, or plug your network- 
analyzer system into a monitor port on a switch. Otherwise, you can't see 
anyone else's data traversing the network — just yours. Check your switch's 
user's guide for whether it has a monitor or mirror port and instructions on 
how to configure it. You can connect your network analyzer to a hub on the 
public side of your firewall. You'll capture only those packets that are enter- 
ing or leaving your network — not internal traffic. 

Court termeasures 

Here are some good defenses against network-analyzer attacks: 





Use switches on your network, not hubs. 

If you must use hubs on network segments, a program such as sniffdet, 
cpm, and sentinel can detect network cards in promiscuous mode 
(accepting all packets, whether destined for it or not). Network cards in 
this mode are signs of a network analyzer running on the network. 

W Don't let a hacker gain physical access to your switches or the network 
connection on the public side of your firewall. With physical access, a 
hacker can connect to a switch monitor port, or tap into the unswitched 
network segment outside the firewall and capture packets. 

Switches do not provide complete security because they are vulnerable to 
ARP poisoning attacks, which I cover in Chapter 9. 

Most computer BIOSs allow power-on passwords and/or setup passwords to 
protect the computer's hardware settings that are stored in the CMOS chip. 
Here are some ways around these passwords: 



Part II: Putting Ethical Hacking in Motion 



oBooks 

^jtfNG/ Some sysi 
hardware 



v 0 You can usually reset these passwords by either unplugging the CMOS 
battery or changing a jumper on the motherboard. 



word-cracking utilities for BIOS passwords are available. 



Some systems (especially laptops) can't be reset easily. You can lose all the 
hardware settings and lock yourself out of your own computer. If you plan to 
hack your own BIOS passwords, check for information in your user manual or 

onlabmice.techtarget . com /a rti cl es/BIOS_hack . htm on doing this 
safely. 

Weak passwords in Umbo 

Bad guys often exploit user accounts that have just been reset by a network 
administrator or help desk. Accounts may need to be reset if users forget their 
passwords, or if the accounts have been locked out because of failed attempts. 

Weaknesses 

Here are some reasons why user accounts can be vulnerable: 

When user accounts are reset, they often are assigned an easily cracked 
password (such as the user's name or the word password). The time 
between resetting the user account and changing the password is a 
prime opportunity for a break-in. 

Many systems have either default accounts or unused accounts with 
weak passwords or no passwords at all. These are prime targets. 

Countermeasures 

The best defenses against attacks on passwords in limbo are solid help-desk 
policies and procedures that prevent weak passwords from being available at 
any given time during the password-reset process. Perhaps the best ways to 
overcome this vulnerability are as follows: 



f* Require users to be on the phone with the help desk, or have a help- 
desk member perform the reset at the user's desk. 

V Require that the user immediately log in and change his password. 

If you need the ultimate in security, implement stronger authentication 
methods, such as challenge/response, smart cards, or digital certificates. 

\S Automate password-reset functionality on your network so users can 
manage most of their password problems without help from others. 

For a good list of default system passwords for vendor equipment, check 

www . ci rt . net/cgi -bi n/passwd . pi . 

Password-reset programs 

Network administrators occasionally use administrator password-resetting 
programs, which can be used against a network. 



Chapter 7: Passwords 



_^ (Jrie oi nr 

•pBoofe 



Tools 

Or|e of my favorites for Windows is NTAccess (www . mi ri der . com/ntaccess . 
'his program isn't fancy, but it does the job. 



Court termeasures 

The best safeguard against a hacker using a password-reset program against 
your systems is to ensure the hacker can't gain physical access. When a 
hacker has physical access, all bets are off. 



Securing Operating Systems 

You can implement various operating-system security measures to ensure 
that passwords are protected. 




Regularly perform these low-tech and high-tech password-cracking tests to 
make sure that your systems are as secure as possible — perhaps as part of a 
monthly, quarterly, or biannual audit. 



Windows 

The following countermeasures can help prevent password hacks on 
Windows systems: 

i>* Some Windows passwords can be gleaned by simply reading the clear 
text or crackable cipher text from the Windows Registry. Secure your 
registries by doing the following: 

• Allowing only administrator access. 

• Hardening the operating system by using well-known hardening 
best practices, such as such as those from SANS (www .sans.org), 
NIST (csrc.nist.gov), the National Security Agency Security 
Recommendation Guides (www .nsa.gov/snac/ index. html), and 
the ones outlined in Network Security For Dummies, by Chey Cobb 
(Wiley Publishing, Inc.). 

v 0 Use SYSKEY for enhanced Windows password protection. 

• By default, Windows 2000 encrypts the SAM database that stores 
hashes of the Windows account passwords. It's not the default in 
Windows NT. 

• You can use the SYSKEY utility to encrypt the database for 
Windows NT machines and to move the database-encryption key 
from Windows 2000 and later machines. 

Don't rely only on the SYSKEY utility. Tools such as ElcomSoft's 
Advanced EFS Data Recovery program can crack SYSKEY encryption. 



Part II: Putting Ethical Hacking in Motion 



1-^ tr* Disal 

3 Books 

For e 



**" Keep all SAM-database backup copies secure. 

Disable the storage of LM hashes in Windows for passwords that are 
ter than 15 characters. 



For example, in Windows 2000 SP2 and later, you can create and set the 
NoLMHash registry key to a value of 1 under HKEY_LOCAL_MACHINE\ 
SYSTEM\CurrentControlSet\Control\Lsa. 

Use passfilt.dll or local or group security policies to help eliminate weak 
passwords on Windows systems before they're created. 

f* Disable null sessions in your Windows version: 

• In Windows XP, enable the Do Not Allow Anonymous Enumeration 
of SAM Accounts and Shares option in the local security policy. 

• In Windows 2000, enable the No Access without Explicit 
Anonymous Permissions option in the local security policy. 

• In Windows NT, enable the following Registry key: 

HKLM/Sys ten/Cur rentControl Set /Control /LSA/RestrictAnonymous=l 



Linux and UNIX 

The following countermeasures can help prevent password cracks on Linux 
and UNIX systems: 

Use shadowed MD5 passwords. 

i>* Help prevent weak passwords from being created. You can use either 
built-in operating-system password filtering (such as cracklib in Linux) 
or a password auditing program (such as npasswd or passwd+). 

Check your /etc/passwd file for duplicate root UID entries. Hackers can 
exploit such entries as root backdoors. 



Part III 

Dr °P Boo l\tetwork Hacking 



The 5 th Wave ByRichTennant 




*Paddy and I are going -bo give 
you aU -the love. com, cave. com, and 
opportumiies.com -that -we possiblij 
can." 



DropBooks 



In this part . . . 

/m /ow that you're off and running with your ethical 
# w hacking tests, it's time to take things to a new level. 
The previous tests — at least the social engineering and 
physical security tests — have started at a high level and 
were not that technical. Times are a-changin'! You now 
need to look at network security. This is where things 
start getting more technical. 

This part starts out by looking into one of the most over- 
looked information security vulnerabilities. By that, I mean 
rogue modems installed on computers randomly through- 
out your network. This part then moves on to look at the 
network as a whole from the inside and the outside for 
everything from perimeter security to network scanning 
to DoS vulnerabilities and more. Finally, this part takes 
a look at how to assess the security of the wireless LAN 
technology that's introducing some serious security vul- 
nerabilities into networks these days. 



DropBooks 



Chapter 8 



War Dialing 



In This Chapter 

Controlling dial-up access 
Testing for war dialing weaknesses 
Preventing war dialing 




mMy ar dialing — the act of using a computer to scan other computers 
ww automatically for accessible modems — was made popular in the movie 
War Games. War dialing seems old-fashioned and less sexy than other hacking 
techniques these days; however, it's a very critical test to run against your 
network. This chapter shows how to test for war dialing vulnerabilities and 
outlines countermeasures to help keep your network from being victimized. 



It's amazing how often end users and careless network administrators con- 
nect modems to computers inside the network. Some companies spend an 
astonishing amount of money and effort to roll out intrusion-prevention soft- 
ware, application firewalls, and forensics protection tools while ignoring that 
an unsecured modem on the network can render that protection worthless. 



Modems are still on today's networks because of leftover remote access 
servers (RAS) that provide remote connectivity into the corporate network. 
Many network administrators — hesitant to deploy a VPN — still have modems 
on their servers and other hosts for other reasons, such as for administering 
the network, troubleshooting problems remotely, and even providing connec- 
tivity to remote offices. Some network administrators have legitimate modems 
installed for third-party monitoring purposes and business continuity; modems 
are a low-cost alternative network access method if the Internet connection is 
down. Many of these modems — and their software — run in default mode 
with weak passwords or none at all. 



War Dialing 



Modem safety 



Part III: Network Hacking 



networKin 
to send ar 



Practically every computer sold today has a modem. End users create dial-up 
networking connections so they can bypass the firewall-blocking and employee- 
g systems in place on the corporate network. Many users want to dial 
work computers from home. Some users even set up their modems 
to send and receive faxes so that they eliminate every possible reason to leave 
their desks during the work day. 



It's not as big a deal if the modem is configured for outbound access only, but 
there's always a chance that someone can use it to obtain inbound access. A 
software misconfiguration or a weak password can give a hacker access. 

So what's the bottom line? Unsecured modems inside the network — and 
even ones with basic passwords — can put your entire network at risk. Many 
of these modems have remote-connectivity software such as pcAnywhere, 
Procomm Plus, and even Apple Remote Access and Timbuktu Pro for Apple 
computers. This software can provide backdoor access to the entire network. 
In many cases, a hacker can take over the computer with the modem attached 
and communications software running, gaining full access to everything the 
currently logged-in user can access. Ouch! 



General telephone-system Vulnerabilities 

A war-dialing attack can uncover other telephone-system vulnerabilities: 

Dial tone: Many phone switches support a repeat, or second dial tone, 
for troubleshooting or other outbound call purposes. This allows a 
phone technician, a user, or even a hacker to enter a password at the 
first dial tone and make outbound calls to anywhere in the world — all 
on your organization's dime. Many hackers use war dialing to detect 
repeat dial tones so they can carry out these phone attacks in the future. 

v 0 Voice mail: Voice-mail systems — especially PC-based types — and 
entire private branch exchange (PBX) phone switches can be probed by 
war-dialing software and later compromised by a hacker. 



Attacking 

War dialing is not that complicated. Depending on your tools and the amount 
of phone numbers you're testing, this can be an easy test. War dialing 
involves these basic hacking methodologies: 

i>* Gathering public information and mapping your network 
V Scanning your systems 

Determining what's running on the systems discovered 
u* Attempting to penetrate the systems discovered 



Chapter 8: War Dialing 




udy in war dialing with David Rhoades 



unrTcastT study, navid Rhoades, a well-known 
war dialing and Web-application security expert, 
shared an experience performing an ISDN war 
dial. Here's an account of what happened. 

The situation 

A few years ago, Mr. Rhoades had an 
Integrated Services Digital Network (ISDN) cir- 
cuit in his home office fortwo voice lines. ISDN 
also allowed him 128Kbps Internet access. His 
ISDN terminal adapter (sometimes incorrectly 
called an ISDN modem) allowed him to call 
other ISDN numbers extremelyfast. He decided 
to write an ISDN war dialer that would take 
advantage of the amazing speed of ISDN. In 
aboutone second, he could dialthe number and 
determine whether the other side was ISDN, 
ISDN with a busy signal, or a regular analog 
line. Analog war dialing is much slower. An 
analog modem would require at least 30 sec- 
ondsto dialthe number and recognize the other 
end as a modem — and that assumes the other 
end answers on the first ring. So an ISDN war 
dialer is very fast at locating other ISDN lines. 
The only downsides are that not all ISDN equip- 
ment can detect analog modems, and you may 
have to dial in a second time to detect them 
properly. Why bother locating ISDN numbers 
with a war dial? If the other end is ISDN, a ter- 
minal adapter or some other piece of equipment 
might be remotely accessible just by calling it. 

Shortly after Mr. Rhoades wrote the ISDN war 
dialer, his company got a request for a war dial 



for a large German bank. The only catch was 
that the project called for an ISDN war dial, 
because ISDN was popular in Europe and his 
customer knew that the bank had lots of ISDN 
circuits. Mr. Rhoades soon found himself on a 
flight to Frankfurt with his software and ISDN 
terminal adapter. 

The outcome 

Mr. Rhoades found several ISDN and analog 
lineswithinthe bank'ssystem. His biggest chal- 
lenge was becoming familiar with the dial-in 
software packages, which were popular in 
Europe but unknown in the United States. 
Fortunately for Mr. Rhoades, most vendors 
offered free demos of their software, which he 
could use to access the remote systems. 

The bottom line is that if you want to be certain 
that no dial-up connections to your network 
exist, consider other methods of communica- 
tion, such as ISDN. Also, never assume that 
well-known communications software is being 
used on the dial-up connection. If you don't rec- 
ognize what's answering, explore it further. The 
bad guys most certainly will. 

David Rhoades is a principal consultant 
with Maven Security Consulting Inc. (www. 
mavensecuri ty . com) and teaches at secu- 
rity conferences around the globe for USENIX, 
the MIS Training Institute, and ISACA. 



The process of war dialing is as simple as entering phone numbers into your 
freeware or commercial war-dialing software and letting the program work its 
magic — preferably overnight, so you can get some sleep! 




Before you get started, keep in mind that it might be illegal to war-dial in your 
jurisdiction, so be careful! Also, make sure you war-dial only the numbers 
you're authorized to dial. Even though you will most likely perform your war 
dialing after hours — at night or over a weekend — make sure that upper 



7 08 Part I": Network Hacking 



DropBoote 

longer to ( 



management and possibly even the people who are working know what 
you're doing. You don't want anyone being surprised by this! 




g is slow, because it can take anywhere from 30 to 60 seconds or 
longer to dial and test one number. A war-dialing test can take all night or 
even a weekend to dial all the numbers in one exchange. To counter this, if 
you use ToneLoc for your war dialing, there's a neat utility called Prescan, 
part of the ToneLoc Utilities Phun-Pak (www . hackcanada . com/i ce3/phreak) 
that will let you fill in ToneLoc data files with known exchanges before you 
ever get started. This can save a ton of time! 

You may have several thousand phone numbers to test if you need to test 
an entire exchange, so this process can take some time. If you use several 
modems at once for your tests, you can speed the testing time dramatically. 
However, before you can do this, several things have to be in place: 

You need multiple analog lines to dial out from. Today, these analog lines 
can be hard to get. 

i>* Given the complexities involved, you may have to do one of the following: 

• Be present during the tests so you can manage all the war-dialing 
sessions you have to load. 

• Automate the tests with batch files. 

• Use a commercial war-dialing utility that supports simultaneous 
testing with multiple modems. 

Gathering information 

To get started, you need phone numbers to test for modems. You can program 
these numbers into your war-dialing software and automate the process. 

You need to find two kinds of phone numbers for testing: 

is* Dialing ranges assigned to your organization, such as the following: 

• 555-0000 through 555-9999 (10,000 possible numbers) 

• 555-0100 through 555-0499 (400 possible numbers) 

• 555-1550 through 555-1599 (50 possible numbers) 

i>* Nonstandard analog numbers that have a different exchange from your 
main digital lines. These numbers may not be publicly advertised. 

To find or verify your organization's phone numbers, check these resources: 

Local telephone white and yellow pages. Either refer to hard copies or 
check out Internet sites such as www .switchboard. com. 

j>* Internet searches for your company name and main phone number. 
(Check your organization's Web site, too.) 



Chapter 8: War Dialing 



pBocfe 



Google may find published numbers in surprising places, such as cham- 
ber of commerce and industry association listings. 



net domain name Whois entries at a lookup site such as www . 
pade.org. The Whois database often contains direct phone num- 
bers and other contact information that can give a hacker a leg up on 
the phone-number scheme within your organization. 

W Phone-service documentation, such as monthly phone bills and phone- 
system installation paperwork 



Selecting itiay-diatinq tools 

War dialing requires outbound phone access, software tools, and a compatible 
modem. 



Software 

Most war-dialing tools are freeware or shareware, but a few commercial war- 
dialing tools are also available, such as PhoneSweep by Sandstorm Enterprises 

(www .sandstorm.net/products/phonesweep). 



These two freeware tools are very effective: 



If ToneLoc (www . securi tyf ocus .com/data/tool s/auditing/pstn/ 
tlll0.zip), written by Minor Threat and Mucho Maas 
THC-Scan, written by The Hacker's Choice (www.thc.org/releases.php) 

There's a list of war-dialing programs at www . pestpatrol . com/pesti nf 0/ 
phreaki ng_tool .asp. If the freeware tools don't have features you need, 
consider a commercial product, such as PhoneSweep. 

Modems 

A plain Hayes-compatible modem usually is fine for outbound war dialing. 

I've had trouble running both ToneLoc and THC-Scan on various modems, so 
you may have to tinker with COM port settings, modem initialization strings, 
and even modem types until you find a combinations that works. 

The best way to determine what type of modem to use is to consult your war- 
dialing software's documentation: 

If in doubt, go with a name-brand model, such as U.S. Robotics, 3Com, or 
an older Hayes unit. 

/Asa last resort, check the modem documentation for features that the 
modem supports. 

You can use this information to ensure you have the best software and hard- 
ware combination to minimize any potential headaches. 



/ 10 Part III: Network Hacking 




Some modems can increase war-dialing efficiency by detecting 



•es, which can speed up the war-dialing process 



/^second dial tones, which allows more dialing from the system 
biatinq in from the outside 

War dialing is pretty basic — you enter the phone numbers you want to dial 
into your war-dialing software, kick off the program, and let it do its magic. 
When the war-dialing software finds a carrier (which is basically a valid 
modem connection), the software logs the number, hangs up, and tries 
another number you programmed it to test. 

Keep the following in mind to maximize your war-dialing efforts: 

i>* Configure your war-dialing software to dial the list of numbers randomly 
instead of sequentially, if possible. 

Some phone switches, war-dialing detection programs (such as 
Sandstorm Enterprises' Sandtrap), and even the phone company itself 
may detect and stop war dialing — especially when an entire exchange 
of phone numbers is dialed sequentially or quickly. 

If you're dialing from a line that can block Caller ID, dial *67 immediately 
before dialing the number so your phone number isn't displayed. This 
may not work if you're calling toll-free numbers. 

If you're dialing long-distance numbers during your testing, make sure 
that you know about the potential charges. Costs can add up fast! 

Using toots 

ToneLoc and THC-Scan are similar in usage and functionality: 

Run a configuration utility to configure your modem and other dial 
settings. 

v 0 Run the executable file to war-dial. 

There are a few differences between the two, such as timeout settings and other 
enhanced menu functionality that was introduced in THC-Scan. You can get an 
outline of all the differences at web . textf i 1 es . com/sof tware/tonel oc . txt. 

Configuration 

In this example, I use my all-time favorite tool — ToneLoc — for war dialing. 
To begin the configuration process for ToneLoc, run the tl cf g . exe utility. 
You can tweak modem, dialing, and logging settings. 



Two settings on the ModemOptions menu are likely to need adjustments, as 
shown in Figure 8-1: 



Chapter 8: War Dialing 



Serial port 



pBooks 



• Enter 1, 2, 3, or 4 for the specific COM port where your modem is 
installed. 




Figure 8-1: 

Configuring 
the modem 
in ToneLoc's 
TLCFG 
utility. 



Leave the Port Address and Port IRQ settings at 0 for the default 
settings unless you've made configuration changes to your modem. 



If you're not sure what port your modem is installed on, run msi nf o32 . 
exe from the Windows Start/Run prompt, and browse to the Components/ 
Modem folder. The modem's COM port value is listed in the Attached To 
item, as shown in Figure 8-2. 

W Baud rate. Enter at least 19,200 if your modem supports it — preferably 
1 15,000 if you have a 56K modem. 

You may not be able to war-dial some older — and much slower — 
modems if the rates don't match. 



C:\WINNT\sy stem32\cmd.eHe - tlcfg 



ModemOptions 



Port Address 
Port IRQ 
Baud Rate 
Use FOSSIL 
Comnand De lay 
Character Delay 
Response Wait 
Ignore CD line 
CTS line 



lore Unknowns 



3 

a 
a 

192B0 
N 

250 

a 

358 
N 
N 
N 



What baud rate to use 



Fl for help 



Figure 8-2: 

Determining 
your 
modem's 
port COM 
port with the 
Windows 
System 
Information 
tool. 



W System Informatio 



Action Mew loois |] <fr ■» | B[E ' El 1 # [3 0|> [j? H fi£ fiD £J 



Tree | 



^ System Information 

. | System Summary 

I Hardware Resources 

| Components 

H- L_l Multimedia 
I Display 
I Infrared 
B ] Input 

~"^(SEEEBi 

H LJ Network 
H LJ Ports 
B- LJ Storage 
L_i Printing 

J Problem Devices 

[_| USB 

| Software Environment 

"I Internet Explorer 
I Office 10 Applications 
I Applications 



| Value 



Name 
Description 


PCTEL 2304WT V.92 MDC Modem 
PCTEL 2304WT V.92 MDC Modem 


Device ID 


PC1\VEN_8D868£)EV_24B6&SUBSYS_. . . 


Device Type 


Internal Modem 


Attached To 


COM3 


Answer Mode 


Not Available 


CompressionOff 


%C0 


CompressionOn 


%C3 


ErrorControlForced 


\N2 


ErrorControlOff 


\N0 


Er r or CoritrolOri 


\N3 


SpeakerModeDial 


Ml 


SpeakerModeOff 


MO 


SpeakerModeOn 


M2 


SpeakerModeSetup 


M3 


SpeakerVolumeHigh 


Not Available 


SpeakerVolumeLow 


Not Available 


SpeakerVolumeMed 


Not Available 



Part III: Network Hacking 



After you' 

d Books* 



Testing 

Af|er you've configured ToneLoc, you're ready to start war dialing with one of 
ing options: 




Number range. For a range of numbers from 770-555-1200 through 
770-555-1209, enter the following command at a command prompt: 

toneloc 770-555-12XX /R:00-09 

This command tells ToneLoc to dial all numbers beginning with 404-555-15 
numbers and then use the range of 00 through 99 in place of XX. 

V Single number. To test one number (770-555-1234), enter it at a command 
prompt like this: 

toneloc 770-555-123X /R:4-4 



To see all the command-line options, enter tonel oc by itself at a command 
prompt. 

After you enter the appropriate command (if you've configured the program 
correctly and your modem is working), ToneLoc produces test results in two 
forms: 



Activity and counter display. As shown in Figure 8-3, ToneLoc displays its 
activity and increments its counters, such as the number of carriers and 
busy signals. 

i>* tone .1 og file. The following information is stored in this log file: 

• Records of all activities during testing. You can peruse this file for 
failed attempts (such as busy signals) to retest later. 

• Lists the carriers that ToneLoc discovered and such as the infor- 
mation displayed as a login prompt. You can use this information 
to penetrate your systems further. 



Figure 8-3: 

ToneLoc in 
the middle 
of a war 
dial. 



DOS Prompt - toneloc wardial /m:404-555-lZ34 



-1 Activity Log p 



17:37 
17:37 



35 ToneLoc ul.lB (Sep 29 1994> 

35 ToneLoc started on 24-Nou-103 

35 Using COM3 ■ 16458 U»RT> 

35 Data file: UP.RDIhL.DhT 

35 Config file: TL.CFG 

35 Log Tile: TONE. LOG 

35 Mask used: 4B4-5SS-1234 

35 Scanning for: Carriers 

35 Initializing Modem ... Done 

48 484-555-1234 - 



jnjx] 



Modem \— 

hTZ 
OK 

BIX4S11-50 

OK 

Rtttt 

OX 

ATDT 404-555-1234 



1 Statistics I 

Starteil: 17:37:35 liinq: 
Current: 17:37:46 Sees: 
1 

Dials/Hour: £18 ETR : 

H Found 

CD's 
Uoice 
Busy 
Rings 



B/ 0 

5/35 



ep 29 1994> by Minor 



Chapter 8: War Dialing 



An abbreviated tone . 1 og file is as follows: 



pBooi 



^20 " 

j20 ToneLoc vl.10 (Sep 29 1994) 

'20 ToneLoc started on 31-Jan-104 

01:18:20 Using C0M1 (16450 UART) 

01:18:20 Data file: 770-555-.DAT 

01:18:20 Config file: TL.CFG 

01:18:20 Log file: TONE. LOG 

01:18:20 Mask used: 770-555-12XX 

01:18:20 Range used: 00-09 

01:18:20 Scanning for: Carriers 

01:18:20 Initializing Modem ... Done 

01:18:24 770-555-1208 - Timeout (0) 

01:19:02 770-555-1201 - Busy 

01:19:40 770-555-1205 - No Carrier 

01:22:52 770-555-1207 - * CARRIER * 

01:23:30 770-555-1204 - Timeout (0) 

01:24:08 Autosaving 

01:24:48 770-555-1206 - Timeout (0) 

01:25:20 All 10 numbers dialed 

01:25:20 Sending exit string ... Done 

01:25:21 Dials = 10, Dials/hour = 94 

01:25:21 0:07 spent current scan 

01:25:21 Exit with errorlevel 0 



In the sixth line of the preceding example, ToneLoc is configured to read the 
TL.CFG file for its configuration options. With the seventh line, the findings 
are written to the TONE . LOG file. 



The range of numbers dialed is 770-555-1200 through 770-555-1209. You can 
determine this by substituting the Range values (00-09) for the XX in the 
mask. ToneLoc dials numbers randomly, as you can see since it started with 
770-555-1208, and so forth. The 1208, 1204, and 1206 numbers just timed out 
(meaning that no modem was detected). The 1201 number was apparently 
busy at the time, and the 1205 number didn't answer at all. ToneLoc found a 
carrier (modem) on the 1207 number. Ah ha! Time to dig deeper to see what's 
on the other end — such as what you're prompted with and details about the 
remote system that are given. 



Rooting through the systems 

When you identify phone numbers with modems attached, take one of these 
actions to penetrate the system further and test for related vulnerabilities: 

W Stop your testing, determine whether the modems are legitimate, and 
disable or remove any rogue modems. 



Part III: Network Hacking 



DBooks 



Attempt to penetrate the systems further by 

• Determining what application is listening on the other end by using 
a communications program, such as Carbon Copy, Procomm Plus, 
or the free HyperTerminal that's built into Windows. 

• Attempting to crack passwords, if necessary. 

Commercial tools such as PhoneSweep automate this process for you — 
making purchasing such a tool a lot more attractive. 

A few questions can help you determine what's listening on the other end 
and decide whether to investigate this device and possibly remove it: 

How many rings does it take for the carrier to pick up? 

Is the carrier available only during certain time periods? 

What type of authentication prompt is presented (password only, user 
ID and password, or another combination)? 

Does login screen or banner tell you about the software that's running? 



Counternieasures 

A few countermeasures can help protect your network against war dialing. 
Phone numbers 

You can protect your phone numbers — especially those that are assigned to 
modems on critical computer systems — by: 

Limiting the phone numbers that are made public. 

Work with human resources, marketing, and management to ensure that 
only necessary phone numbers are unveiled. 

Obtaining analog-line phone numbers that aren't within the standard 
exchange of your main digital lines. This prevents hackers from finding 
modems within your main phone-number block. 

Modem operation 

You can help prevent unauthorized modem usage and operation by: 

Documenting, publishing, and educating all end users on modem usage. 
If users need modem access, require them to present the business reason. 

W Requiring strong passwords on all communications software. 



Chapter 8: War Dialing 



I Purchasing dial-only modems or disabling inbound access in your com- 



munications software. 



DropBoote 





cy applications may require occasional modem access. Make it 
'cy — and train your users — to keep the modem powered off or 
unplugged from the phone line when it's not being used. 



When installing modems into computers within the organization, require all 
dial-up networking through either a VPN or a modem pool connected to a 
RAS server that IT/security manages centrally. Review all telephone bills each 
month to ensure that you don't have unauthorized lines installed. 

Installation 

Secure modem placement maximizes security, prevents war-dialing attacks, 
and makes modem management and future ethical hacking tests much easier: 

External modems are usually easy to see, but they can be hidden under 
desks and forgotten. 

i>* Internal modems may require you to inspect every networked computer 
physically for a phone cable plugged into the back. 

Digital phone-line converters can allow a user to connect an analog modem 
to a digital line — which normally fries the modem. 



116 Part III: Network Hacking 

DropBooks 



Chapter 9 

00 Network Infrastructure 



In This Chapter 

Selecting tools 

Scanning network hosts 

Assessing security with a network analyzer 

Preventing denial-of-service and infrastructure vulnerabilities 



\M our computer systems and applications require one of the most funda- 
mental communications systems in your organization — your network. 
Your network consists of such devices as routers, firewalls, and even generic 
hosts (including servers and workstations) that you must assess as part of 
the ethical hacking process. 

Many people refer to ethical hacking in terms of performing security tests 
from a network-only perspective. This is only part of the overall issue. You 
can't discount the basics of old-fashioned network security tests. I outline 
them in this chapter, with some solid countermeasures to foil attacks against 
your network. 

There are thousands of possible network vulnerabilities, equally as many 
tools, and even more testing techniques. You don't need to test your network 
for every possible vulnerability, using every tool available and technique 
imaginable. The tests in this chapter produce a good overall assessment of 
your network. 

You can eliminate many well-known network vulnerabilities by simply patch- 
ing your network hosts with the latest vendor software and firmware patches. 
Odds are that your network will not be attacked to exploit most of these vul- 
nerabilities. Even if it is, the results are not likely to be detrimental. You can 
eliminate many other vulnerabilities by following some security best practices 
on your network. The tests, tools, and techniques in this chapter offer the 
most bang for your ethical hacking buck. 



Part III: Network Hacking 



Q^casri&iidy in hacking network infrastructures 
DUUKb W ith Laura Chappell 



Laura Chappell — one of the world's foremost 
authorities on network protocols and analysis — 
shared with me an interesting experience she 
had when assessing a customer's network. 
Here's her account of what happened. 

The Situation 

Ms. Chappell had a customer call with a routine 
"the network is slow" problem. Upon her arrival 
onsite, the customer mentioned sporadic out- 
ages and poor performance when connecting 
to the Internet as well. First, she examined 
individual flows between various clients and 
servers. Localized communications appeared 
normal, but any communication that flowed 
through the firewall to the Internet or other 
branch offices was severely delayed. It was 
time to sniff the traffic going through the firewall 
to see whether she could isolate the cause of 
the delay. 

The Outcome 

A quick review of the traffic crossing the fire- 
wall indicated that the outside links were satu- 
rated, so it was time to review and classify the 
traffic. Using the Sniffer Network Analyzer, Ms. 
Chappell plugged in to examine the protocol dis- 
tribution. She sawthat almost 45 percent of the 
traffic was listed as "others" and was unrecog- 
nizable. She captured some data and found sev- 
eral references to pornographic images. Further 
examination of the packets led her to two spe- 
cific port numbers that appeared consistently in 
the trace files — port 1214 (Kazaa) and 6346 
(Gnutella), two peer-to-peer (P2P) file sharing 
applications. She did a complete port scan 
of the network to see what was running and 
found over 30 systems running either Kazaa or 
Gnutella. Their file transfer processes were 
eating up the bandwidth and dragging down 
all communications. It would have been simple 
to shut down these systems and remove the 



applications, but she wanted to investigate 
them further without the users' knowledge. 

Ms. Chappell decided to use her own Kazaa and 
Gnutella clients to look through the shared fold- 
ers of the systems. By becoming a peer member 
with the other hosts on the network, she could 
perform searches through other shared folders, 
which indicated some of the users had shared 
their network directories! Through these shared 
folders, she was able to obtain the corporate 
personnel roster, including home phone num- 
bers and addresses, accounting records, and 
several confidential memos that provided time- 
lines for projects underway at the company! 

Many users said they shared these folders to 
regain access to the P2P network, because they 
had previously been labeled free loaders 
because their shares contained only a few files. 
They were under the delusion that because no 
one knew the filenames contained in the net- 
work directories, no one would search for 
matching values. Although this on-site visit 
started with a standard performance and com- 
munication review, it ended with the detection 
of some huge security breaches in the com- 
pany. Anyone can use these P2P tools to get 
onto the network and grab the files in the 
shared folders — with no authorization or 
authentication required! 

Laura Chappell is Senior Protocol Analyst at 
the Protocol Analysis Institute, LLC (www. 
packet-1 evel .com). A best-selling author 
and lecturer, Ms. Chappell has trained thou- 
sands of network administrators, security tech- 
nicians, and law enforcement personnel on 
packet-level security, troubleshooting, and opti- 
mization techniques. I highly recommend that 
you check out her Web site for some excellent 
technical content to help you become a better 
ethical hacker. 



Chapter 9: Network Infrastructure 



Netitfork infrastructure Vulnerabilities 

•pBooks 

security i 



infrastructure vulnerabilities are the foundation for all technical 
security issues in your information systems. These lower-level vulnerabilities 
affect everything running on your network. That's why you need to test for 
them and eliminate them whenever possible. 

Your focus for ethical hacking tests on your network infrastructure should be 
to find weaknesses that others can see in your network so you can quantify 
your level of exposure. 

Many issues are related to the security of your network infrastructure. Some 
issues are more technical and require you to use various tools to assess them 
properly. You can assess others with a good pair of eyes and some logical 
thinking. Some issues are easy to see from outside the network, and others 
are easier to detect from inside your network. 



Network infrastructure security involves assessing such areas as 



i>* Where such devices as a firewall or IDS (intrusion detection system) are 
placed on the network and how they are configured 

What hackers see when they perform port scans and how they can 
exploit vulnerabilities in your network hosts 

*** Network design, such as Internet connections, remote-access capabili- 
ties, layered defenses, and placement of hosts on the network 

i>* Interaction of installed security devices 

f* Protocols in use 

Commonly attacked ports that are unprotected 

Network host configuration 

Network monitoring and maintenance 



If any of these network security issues is exploited, bad things can happen: 

i>* A DoS attack can take down your Internet connection — or even your 
entire network. 

A hacker using a network analyzer can steal confidential information in 
e-mails and files being transferred. 

Backdoors into your network can be set up. 

v 0 Specific hosts can be attacked by exploiting local vulnerabilities across 
the network. 



120 Part III: Network Hacking 



® 



DropBooks 



Before moving forward with assessing your network infrastructure security, 
remember to do the following: 



your systems from both the outside in and the inside out. 



i>* Obtain permission from partner networks that are connected to your 
network to check for vulnerabilities on their ends that can affect your 
network's security, such as open ports and lack of a firewall or a miscon- 
figured router. 



Choosing Toots 

Your tests require the right tools. Great commercial, shareware, and freeware 
tools are available. 



If you're looking for easy-to-use security tools with all-in-one packaging, you get 
what you pay for — most of the time — especially for the Windows platform. 
Tons of security professionals swear by many free security tools, especially 
those that run on UNIX-based operating systems. Many of these tools offer a 
lot of value — if you have the time, patience, and willingness to learn their ins 
and outs. 

^\NG/ You can equip your toolbox with scanners and vulnerability-assessment tools. 
You need more than one tool. No tool does everything you need. 



Scanners 

These scanners provide practically all the port-scanning and network-testing 
tools you'll need: 

v 0 Sam Spade for Windows (samspade.org/ssw) for network queries from 
DNS lookups to traceroutes 

SuperScan (www . f oundstone .com) for ping sweeps and port scanning 

i>* NetScanTools Pro (www . netscantool s . com) for dozens of network 
security-assessment functions, including ping sweeps, port scanning, 
and SMTP relay testing 

i>* Nmap (www . i nsecure . org/nmap) or NMapWin (sourcef orge .net/ 
projects/nmapwin)asa happy-clicky-GUI front end for host-port probing 
and operating-system fingerprinting 

V Netcat (www .atstake. com /research/tool s/networ k_uti 1 i ties) the 
most versatile security tool for such security checks as port scanning 
and firewall testing 

WildPackets EtherPeek (www .wi 1 dpackets .com) for network analysis 





Chapter 9: Network Infrastructure 



'pBocfe 



Vulnerability assessment 



lnerability-assessment tools will allow you to test your network 
various known vulnerabilities as well as potential configuration 
issues that could lead to security exploits: 

GF1 LANguard Network Security Scanner (www . gf i . com) for port scan- 
ning and other vulnerability testing 

V Nessus (www .nessus.org) as a free all-in-one tool for such tests as ping 
sweeps, port scanning, and vulnerability testing 

f* Qualys QualysGuard (www . qua 1 ys .com) as a great all-in-one tool for in- 
depth vulnerability testing, if you can justify the cost 



Scanning Poking and Proddinq 

Performing these ethical hacks on your network infrastructure involves fol- 
lowing basic hacking steps: 

1 . Gather information and map your network. 

2. Scan your systems to see which are available. 

3. Determine what's running on the systems discovered. 

4. Attempt to penetrate the systems discovered, if you choose to. 



Every network card driver and implementation of TCP/IP in most operating 
systems, including Windows and Linux, and even in your firewalls and routers, 
has quirks that result in different behaviors when scanning, poking, and prod- 
ding your systems. This can result in different responses from your varying 
systems. Refer to your administrator guides or vendor Web sites for details 
on any known issues and possible patches that are available to fix them. If 
you have all your systems patched, this shouldn't be an issue. 



Port scanners 

A port scanner shows you what's what on your network. It's a software tool 
that basically scans the network to see who's there. 

Port scanners provide basic views of how the network is laid out. They can 
help identify unauthorized hosts or applications and network host configura- 
tion errors that can cause serious security vulnerabilities. 

The big-picture view from port scanners often uncovers security issues 
that may otherwise go unnoticed. Port scanners are easy to use and can test 



/22 Part III: Network Hacking 



DropBodkS 

The real 1 



systems regardless of what operating systems and applications they're run- 
ning. The tests can be performed very quickly without having to touch indi- 
twork hosts, which would be a real pain otherwise. 





The real trick to assessing your overall network security is interpreting the 
results you get back. You can get false positives on open ports, and you may 
have to dig deeper. For example, UDP scans — like the protocol itself — are 
less reliable than TCP scans and often produce false positives, because many 
applications don't know how to respond to random incoming UDP scans. 

A feature-rich scanner — usually, a commercial product — often can identify 
ports and see what's running in one step. 

Port-scan tests take time. The length of time depends on the number of hosts 
you have, the number of ports you scan, the tools you use, and the speed of 
your network links. 

Scan more than just the important hosts. These other systems often bite you 
if you ignore them. Also, perform the same tests with different utilities to see 
whether you get different results. Not all tools find the same open ports and 
vulnerabilities. This is unfortunate, but it's a reality of ethical hacking tests. 

If your results don't match after you run the tests using different tools, you 
may want to explore the issue further. If something doesn't look right — such 
as a strange set of open ports — it probably isn't. Test it again; if you're in 
doubt, use another tool for a different perspective. 

As an ethical hacker, you should scan all 65,535 UDP and 65,535 TCP ports on 
each network host that's found by your scanner. If you find questionable ports, 
look for documentation that the application is known and authorized. 

For speed and simplicity, you can scan commonly hacked ports (listed in 
Table 9-1). 



Table 9-1 


Commonly Hacked Ports 




Port Numbers 


Service 


Protocols 


7 


Echo 


TCP, UDP 


19 


Chargen 


TCP, UDP 


20 


FTP data (File Transfer Protocol) 


TCP 


21 


FTP control 


TCP 


22 


SSH 


TCP 


23 


Telnet 


TCP 



Chapter 9: Network Infrastructure 



Port Numbers 


Service 




Protocols 




SMTP (Simple Mail Transfer Protocol) 


TCP 




Daytime 




TCP, UDP 


53 


DNS (Domain Name System) 


UDP 


69 


TFTP (Trivial File Transfer Protocol) 


UDP 


79 


Finger 




TCP, UDP 








80 


HTTP (Hypertext Transfer Protocol) 


TCP 


110 


P0P3 (Post Office Protocol version 3) 


TCP 


111 


SUN RPC (remote procedure calls) 


TCP, UDP 


135 


RPC/DCE end point mapper for Microsoft networks 


TCP, UDP 


137,138,139 


NetBIOS over TCP/IP 


TCP, UDP 


161 


SNMP (Simple Network Management Protocol) 


TCP, UDP 


220 


IMAP (Internet Message Access Protocol) 


TCP 


443 


HTTPS (HTTP over SSL) 


TCP 










512,513,514 


Berkeley rcommands (such as rsh, rexec, and rlogin) 


TCP 


1214 


Kazaa and Morph 


eus 


TCP, UDP 


1433 


Microsoft SQL Se 


rver 


TCP, UDP 


1434 


Microsoft SQL Monitor 


TCP, UDP 


3389 


Windows Terminal Server 


TCP 


5631,5632 


pcAnywhere 




TCP 


6346, 6347 


Gnutella 




TCP, UDP 










12345,12346, 
20034, 20035 


NetBus 




TCP 


27444 


Trinoo 




UDP 


27665 


Trinoo 




TCP 


31335 


Trinoo 




UDP 


31337 


Back Orifice 




UDP 


34555 


Trinoo 




UDP 



Part III: Network Hacking 



■-^ A f ing sw( 

pBocfe 



Pinq sweep 

A sing sweep of all your network subnets and hosts is a good way to find out 
sts are alive and kicking on the network. A ping sweep is when you 
ge of addresses using Internet Control Message Protocol (ICMP) 
packets. Figure 9-1 shows the command and the results of using Nmap to per- 
form a ping sweep of a class C subnet range. 




Dozens of Nmap command-line options exist, which can be overwhelming 
when you just want to do a basic scan. You can just enter nmap on the com- 
mand line to see all the options available. 

These command-line options can be used for an Nmap ping sweep: 

- s P tells Nmap to perform a ping scan. 

i>* - n tells Nmap to not perform name resolution. 

You may want to omit this if you want to resolve hostnames to see which 
systems are responding. Name resolution may take slightly longer, though. 

• -T 4 option tells Nmap to perform an aggressive (faster) scan. 

• 192. 168. 1.1-2 54 tells Nmap to scan the entire 192.168.1.x subnet. 



Figure 9-1: 

Performing 
a ping 
sweep of 
an entire 
class C 
network 
with Nmap. 



,„ sP -n -T 4 192.168.1.1-254 
lap 3.48 C http://uuu. insecure . org/nnap > ai 

18.I.I appears to be up. 
i8.1.20 appears to be up. 
i8.1.30 appears to be up. 
i8.1.40 appears to be up. 
i8.1.50 appears to be up. 
18. 1.65 appears to be up. 
.8.1.100 appears to be up. 
.8.1.101 appears to be up. 
.8.1.102 appears to be up. 
.8.1.103 appears to be up. 
.8.1.104 appears to be up. 
.8.1.106 appears to be up. 
.8.1.122 appears to be up. 

mpleted — 254 IP addresses (13 hosts up> ! 



1-02-07 14:03 Eastern ' 



ed in 10.455 seconds 



4$ 



Port scanning 

Most port scanners operate in three steps: 

1. The port scanner sends TCP SYN requests to the host or range of hosts 
you set it to scan. 

Some port scanners, such as SuperScan, perform ping sweeps to deter- 
mine which hosts are available before starting the TCP port scans. 

Most port scanners scan only TCP ports by default. Don't forget about 
UDP ports. You can scan UDP ports with a UDP port scanner such as 
Nmap LANguard Network Security Scanner. 



Chapter 9: Network Infrastructure 



ipBooS' 



2. The port scanner waits for replies from the available hosts. 

The port scanner probes these available hosts for up to 65,535 possible 
and UDP ports — based on which ports you tell it to scan — to see 
h ones have available services on them. 



The port scans provide the following information about the live hosts on 
your network: 

v 0 Hosts that are active and reachable through the network 

Network addresses of the hosts found 
t<«* Services or applications that the hosts may be running 

After performing a generic sweep of the network, you can dig deeper into 
specific hosts you've found. 

SuperScan 

My favorite tool to perform generic TCP port scans is SuperScan. Figure 9-2 
shows the results of my scan and a few interesting ports open on several 
hosts, including Windows Terminal Server and SSH. 



Figure 9-2: 

A TCP port 
scan using 
SuperScan. 



I 



Hostname Lookup 



l-lnlxl 



Resolved [~~ 



Stail|lO 11.121 



Stop|l011 12254 



1 PtevC | NextC | 1 


.254 | 


1 1* Ignore IP zero 




1 1* Ignore IP 255 


_J 


1 l~~ Extract trom file 



Timeout 

Ping 
[400 

Connect 
1 2000 

Read 
14000 



Scan type 



I - Resolve hostnarnes 

Only scan responsive pings 

W Show host responses 

C Ping only 

I Every port in list 

f* All selected ports in list 
All list ports from p ft 

f" All ports from H ft 




Speed 

Max 



0.11.12.2 

25 Simple Mail Transfer 
80 World Wide Web HTTP 

110 Post Office Protocol -Version 3 

139 NETBIOS Session Service 

445 Microsoft-DS 

1723 pptp 

3389 Windows Terminal Server 
0.11.12.110 
0.11.12.203 
0.11,12.204 
0.11.12.205 

22 SSH Remote Login Protocol 



1 ^1 Active hosts 
Open ports 



In Figure 9-2, 1 selected the Only Scan Responsive Pings and All Selected Ports 
in List options. However, you may want to select some other options: 



Part III: Network Hacking 



pBookS 



V If you don't want to ping each host first — which helps make the test run 
more efficiently — deselect the Only Scan Responsive Pings option. (ICMP 



be blocked, which can cause the scanner to not find certain hosts.) 



u want to scan a certain range of well-known ports or ports specific 
to your systems, you can configure SuperScan to do so. I recommend 
these settings: 

• If you want to perform a scan on well-known ports, at least select 
the All Selected Ports in List option. 

• If this is your initial scan, scan all ports from 1 to 65,535. 



Nmap 

After you have a general idea of what hosts are available and what ports are 
open, you can perform fancier scans to verify that the ports are actually open 
and not being reported as a false positive. If you wish to do this, Nmap is the 
perfect tool to use. Nmap allows you to run the following additional scans: 



Connect: This basic TCP scan looks for any open TCP ports on the host. 
You can use this scan to see what's running and determine whether IDSs, 
firewalls, or other logging devices log the connections. 

UDP Scan: This basic UDP scan looks for any open UDP ports on the 
host. You can use this scan to see what's running and determine 
whether IDSs, firewalls, or other logging devices log the connections. 

i>* SYN Stealth: This scan creates a half-open TCP connection with the host 
possibly evading IDS systems and logging. This is a good scan for testing 
IDSs, firewalls, and other logging devices. 

i>* FIN Stealth, Xmas Tree, and Null: These scans let you mix things up a 
bit — no pun intended — by sending strangely formed packets to your 
network hosts so you can see how they respond. These scans basically 
change around the flags in the TCP headers of each packet, which allows 
you to test how each host handles them to point out weak TCP/IP imple- 
mentations and patches that may need to be applied. 



Be careful when performing these scans. You can create your own DoS attack 
and potentially crash applications or entire systems. Unfortunately, if you 
have a host with a weak TCP/IP stack (the software that controls TCP/IP com- 
munications on your hosts), there is no good way to prevent this. The best 
way to reduce the chance of this occurring is to use the slow Nmap timing 
options — Paranoid, Sneaky, or Polite — when running your scans. 

Figure 9-3 shows the NMapWin Scan tab, where you can select all these 
options. If you're a command-line fan, you see the command-line parameters 
displayed in the lower-left corner of the NMapWin screen. This helps when 
you know what you want to do and the command-line help isn't enough. 



Chapter 9: Network Infrastructure 




Figure 9-3: 

In-depth 
port- 
scanning 
options in 
NMapWin. 



Scan | 
Help I 



Exit 



Options j Timing | Files | Service | Win32 | 

Scan Options 



Scan | Di 
Mode 

C Connect C Null Scan f Window Scan 

C SYN Stealth C XmasTfee C RCPScan 

C FIN Stealth C IP Scan C List Scan 

f Ping Sweep C Idle Scan 

C UDPScan C ACKScan 



r Port Range V Use Decoy V Bounce Scan 



I - Device 



f~ Souice Address V Source Port 



l~~ Idle Scan Host 



Output 



|CMD: -sS -PT PI -0 -T 3 10.11 12.1/24 



01/12/03 | 17:49:22 



If you connect to a single port carefully enough (as opposed to several all at 
once) without making too much noise, you may be able evade your IDS/IDP 
system. This is a good test of your IDS and firewall systems, so assess your 
logs to see what they saw during this process. 

Countermeasures 

You can implement various countermeasures to typical port scanning. 
Traffic restriction 

Enable only the traffic you need to access internal hosts — preferably as far 
as possible from the hosts you're trying to protect. You apply these rules in 
two places: 

External router for inbound traffic 

v* Firewall for outbound traffic 

Configure firewalls to look for potentially malicious behavior over time 
(such as the number of packets received in a certain period of time), and 
have rules in place to cut off attacks if a certain threshold is reached, 
such as 100 port scans in one minute. 




Most firewalls, IDSs, and IDPs detect port scanning and cut it off in real 
time. Figure 9-4 shows an example: A basic Nmap OS fingerprint scan 
was detected and cut off (hence the black slash) by ISS's BlacklCE per- 
sonal firewall and IDP product in real time. 



Part III: Network Hacking 



dBoo 



Figure 9-4: 

BlacklCE 
logs 
showing 
how an 
Nmap scan 
was cut off. 



• BlacklCE PC Protection 



File Edit View Tools Help 
Evlnts | Intruders | History | 




® 11/30/2003 4:20:32 PM Nmap_OS_Fingerprint 10.11.12.205 
(§) 1 1 /30/2003 4:20:32 PM TCP_05_Fingerprint 10,1 1,1 2.205 



[Pre-attack Probe) This signature detects UDP port probes directed at ports 
not detected by more specific signatures. 



Help 



Gathering network information 

NetScanTools Pro is a great tool for general network information, such as the 
number of unique IP addresses, NetBIOS names, and MAC addresses found. 

The following report is an example of the NetScanner (network scanner) 
output of NetScanTools Pro 2000: 

Statistics for NetScanner 

Scan completion time = Sat, 7 Feb 2004 14:11:08 

Start IP address: 192.168.1.1 

End IP address: 192.168.1.254 

Number of target IP addresses: 254 

Number of IP addresses responding to pings: 13 

Number of IP addresses sent pings: 254 

Number of intermediate routers responding to pings: 0 

Number of successful NetBIOS queries: 13 

Number of IP addresses sent NetBIOS queries: 254 

Number of MAC addresses obtained by NetBIOS queries: 13 

Number of successful Subnet Mask queries: 0 

Number of IP addresses sent Subnet Mask queries: 254 

Number of successful Whois queries: 254 

Traffic denial 

Deny ICMP traffic to specific hosts you're trying to protect. Most hosts don't 
need to have ICMP enabled — especially inbound ICMP requests — unless 
it's needed for a network management system that monitors hosts using this 
protocol. 




You can break applications on your network, so make sure that you analyze 
what's going on, and understand how applications and protocols are working, 
before you disable such network traffic as ICMP. 



Chapter 9: Network Infrastructure 



•pBoq 



SNMP scanning 




lSJaetwork Management Protocol (SNMP) is a protocol built into virtu- 
ly evfery network device. Network management programs (such as HP 
Open View and LANDesk) use SNMP for remote network host management. 
Unfortunately, SNMP also presents security vulnerabilities. 



Vulnerabilities 

The problem is that most network hosts run SNMP that isn't hardened or 
patched to prevent known security vulnerabilities. The majority of network 
devices have SNMP enabled and don't even need it! 



If SNMP is compromised, a hacker can gather such network information as 
ARP tables and TCP connections to attack your systems. If SNMP shows up 
in port scans, you can bet that a hacker will try to compromise the system. 
Figure 9-5 shows how GFI LANguard determined the NetWare version running 
(Version 6, Service Pack 3) by simply querying a host running unprotected 
SNMP. Here are some other utilities for SNMP enumeration: 



The commercial tool SolarWinds (www .sol arwi nds . net) 

Free Windows GUI-based Getif (www . wtcs .org/snmp4tpc/getif. htm) 

V Text-based SNMPUTIL for Windows (www.wtcs.org/snmp4tpc/FILES/ 
Tool s/SNMPUTIL/SNMPUTIL. zip) 



Figure 9-5: 

Information 
gathered by 
querying a 
vulnerable 
SNMP host. 



.S) SNMP info (system) 

sysDescr - Novell NetWare 5.60.03 March 27, 2003_ 
sysUpTime - 24 days, 2 hours, 56 seconds 
sysContact - null 
sysName - FSMAIN 
sysLocation - null 

Object ID - 1. 2. 3. 4.5. 6. 78. 9.0 (Novell Netware Box) 

Vpnrlnr - Mriupll 



Countermeasures 
^vJkBEyj Preventing SNMP attacks can be as simple as A-B-C: 

Always disable SNMP on hosts if you're not using it — period. 

i>* Block the SNMP port (UDP port 161) at the network perimeter. 

i>* Change the default SNMP community string from public to another value 
that's more difficult to guess. This makes SNMP harder to hack. 



Part III: Network Hacking 



Banner qxabbinq 

:>Bocte 



are the welcome screens that divulge software version numbers and 
st information to a network host. This banner information may iden- 
tify the operating system, the version number, and the specific service packs, 
so hackers know possible vulnerabilities. You can grab banners by using 
either plain old telnet or Netcat. 

telnet 

You can telnet to hosts on the default telnet port (TCP port 23) to see whether 
you're presented with a login prompt or any other information. Just enter the 
following line at the command prompt in Windows or UNIX: 

telnet i p_address 
You can telnet to other commonly used ports with these commands: 











telnet ip_address 2 


3 







f HTTP: 





telnet i p_address 80 




f POP3: 












telnet ip_address 110 








Figure 9-6 shows specific version 
when telnetting to it on port 25. 


information about an Exchange 


2003 server 



Figure 9-6: 

Information 
gathered 
about 
Exchange 
2003 via 
telnet. 



F^DOS Prompt - telnet 10.11.12.2 25 



220 nail. youi , "'e-nail"'seruei*. con Microsoft ESMTP HAIL Service, Uersio 
0 ready at Sat, 7 Feb 2004 19:01:22 -0500 



KB 

n: 6.0. 3790. _*J 



Netcat 

Netcat can grab banner information from routers and other network hosts, 
such as a wireless access point or managed Ethernet switch. 

The following steps bring back information about a host that runs a Web 
server for remote management purposes: 



Chapter 9: Network Infrastructure 



ipBooki 



1. Enter the following line to initiate a connection on port 80: 

nc -v f p_address 80 

for the initial connection. 
Netcat returns the message hostname [i p_address~\ 80 (http) open. 

3. Enter the following line to grab the home page of the Web server: 

GET / HTTP/1.0 

4. Press Enter a couple of times to load the page. 
Figure 9-7 shows some typical results with Netcat. 



Figure 9-7: 

A Web- 
server 
banner 
grab using 
Netcat. 



Select DOS Prompt 



C:\netcat>nc -u 10.11.12.2 80 
seruerl [10.11.12.2] 80 <http> open 
GET / HTTP/1.0 

HTTP/1.1 200 OK 

Date: Hon, 01 Dec 2003 19:12:24 GMT 
Server: Apache/2.0.47 <Win32> 

Last-Modified: Thu, 11 Sep 2003 0S:21:07 GMT 
ETag: "2e8c-2aS0-f 792253b" 
Accept— Ranges : bytes 
Content-Length: 10832 
Connection : close 

Content-Type: text/htnl; charset=ISO-8859-l 



Countermeasures 

The following steps can reduce the chance of banner-grabbing attacks: 

i>* If there is no business need for services that offer banner information, 
disable those unused services on the network host. 

If there is no business need for the default banners, or if you can cus- 
tomize the banners displayed, configure the network host's application 
or operating system to either disable the banners or remove information 
from the banners that could give an attacker a leg up. 

If you can customize your banners, check with your lawyer about adding a 
warning message similar to this: 

Warning!!! This is a private system. All use is monitored and recorded. Any 
unauthorized use of this system may result in civil and/or criminal prosecu- 
tion to the fullest extent of the law. 



FireuJaK rules 

As part of your ethical hacking, you can test your firewall rules to make sure 
they're working like they're supposed to. 



Part III: Network Hacking 



Testing 

■-^ A few tests can verify that your firewall actually does what it says it's doing. 

1 1T\ f\ Crr^ ^Q~ onnec t through it on the ports you believe are open, but what about 

L-^ I w I—/ \J Vfllltm^her ports that can be open and shouldn't be? 

Some security-assessment tools can not only test for open ports, but also 
determine whether traffic is actually allowed to pass through the firewall. 

Att-in-one toots 

All-in-one tools aren't perfect, but their broad testing capabilities make the 
network scanning process a lot less painful and can save you tons of time! 
Their reporting is really nice, too, especially if you will show your test results 
to upper management. 

Nessus, QualysGuard, and GFI LANguard Network Security Scanner provide 
similar results. Figure 9-8 is partial output from LANguard. It identifies open 
ports on the test network and presents information on SNMP, operating-system 
information, and special alerts to look for. 



Figure 9-8: 

Information 
gathered 
from a 
network 
scan using 
LANguard 
Network 
Security 
Scanner. 



J GFI LANguard Network Security Scanner v(3.2) 



File Edit View Scan Patches Tools LANguard Tray 



o o I d ffl I na a r* 



3 

s j 

as ! 

31 



10.1 1.7 [FSMAIN | (NetWare 5 0] 
63 NETBIOS names (4) 
HJi Username : (No one logged on) 
■9 MAC : 00-50-1 2-34-56-78 (COMPAQ COMPUTER 
J3) SNMP (system) 

Ef Time to live (TTL) : 127 (128) • 1 hop(s) away 
Gf LAN Managet : NetWare 5.0 
Ef Domain: NDSTREE 
S Shares |10| 
* TCP Ports (7) 
■ UDP Ports (6) 
, j\ Alerts (1| 

10.1.1.3 [WIN2K ] (Windows) 
Ef Time to live (TTL) : 127 (128) - 1 hop(s) away 
£ TCP Ports (3) 
Alerts (1 1 

.1 18 [MCI291111 ] (HP Jet-Direct Print Server] 



i hh-IT.;: ;MQ".y::2 ] Window-:] 




You can use LANguard Network Security Scanner and QualysGuard to find 
operating-system vulnerabilities and patches that need to be applied. Pretty 
slick! I show you more on this in Chapter 11, which covers Windows. 

Netcat 

Netcat can test certain firewall rules without having to test a production 
system directly. For example, you can check whether the firewall allows port 
23 (telnet) through. Follow these steps to see whether a connection can be 
made through port 23: 

1. Load Netcat on a client machine inside the network. 



This allows you to test from the inside out. 



Chapter 9: Network Infrastructure 



2. Load Netcat on a testing computer outside the firewall. 

allows you to test from the outside in. 

r the Netcat listener command on the client (internal) machine 
the port number you're testing. 

For example, if you're testing port 23, enter this command: 

nc -1 -p 23 cmd.exe 

4. Enter the Netcat command to initiate an inbound session on the test- 
ing (external) machine. You must include the following information: 

• The IP address of the internal machine you're testing 

• The port number you're testing 

For example, if the IP address of the internal (client) machine is 
10.11.12.2 and the port is 23, enter this command: 

nc -v 10.11.12.2 23 



DropBookfS 

with 



If Netcat presents you with a new command prompt (that's what the cmd . exe 
is for in Step 3) on the external machine, it means that you connected and are 
now executing commands on the internal machine! This can serve several 
purposes, including testing firewall rules and — well, uhhhmmm — executing 
commands on a remote system! 

Alternative testing toots 

These utilities test firewall rules more robustly than Netcat: 

IV Firewalk: A UNIX-based tool (www .packetfactory.net/firewalk) 
is* Firewall Informer: A commercial tool by BLADE Software (www . 
blade-software.com) 



Countermeasures 

The following countermeasures can prevent a hacker from testing your firewall: 

i>* Limit traffic to what's needed. 

Set rules on your firewall (and router, if needed) to pass only traffic that 
you absolutely must pass. For example, have rules in place that allow 
HTTP inbound to an internal Web server and outbound for external Web 




access. 

This is the best defense against someone poking at your firewall. 

v 0 Block ICMP to help prevent abuse from some automated tools, such as 
Firewalk. 

Enable stateful packet inspection on the firewall, if you can. It can block 
unsolicited requests. 



Part III: Network Hacking 



Looking through a network analyzer 

pBocfe 




k analyzer is a tool that allows you to look into a network and ana- 
going across the wire for network optimization, security, and/or 
troubleshooting purposes. Like a microscope for a lab scientist, a network 
analyzer is a must-have tool for any security professional. 

Network analyzers are often generically referred to as sniffers, though that's 
actually the name and trademark of a specific product from Network 
Associates, Sniffer (the original network-analysis tool). 

A network analyzer is handy for sniffing packets. Watch for the following net- 
work traffic behavior: 



What do packet replies look like? Are they coming from the host you're 
testing or from an intermediary device? 

V Do packets appear to traverse a network host or security device, such 
as a router, a firewall, IDS, or a proxy server? 

When assessing security and responding to security incidents, a network ana- 
lyzer can help you 

If" View anomalous network traffic and even track down an intruder. 
Develop a baseline of network activity and performance before a secu- 
rity incident occurs, such as protocols in use, usage trends, and MAC 
addresses. 

When your network behaves erratically, a network analyzer can help you 

• Track and isolate malicious network usage 

• Detect malicious Trojan-horse applications 

• Monitor and track down DoS attacks 



You can use one of the following programs for network analysis: 

EtherPeek by WildPackets (www .wi 1 dp a eke ts .com) is my favorite 
network analyzer. It delivers a ton of features that the higher-end 
network analyzers of yesterday have for a fraction of their cost. 
EtherPeek is available for the Windows operating systems. 

i>* I download the open-source Ethereal network analyzer from www . 
ethereal .org if I need a quick fix and don't have my laptop nearby. 
It's not as user-friendly as EtherPeek, but it is very powerful if you're 
willing to learn its ins and outs. Ethereal is available for both Windows 
and UNIX-based operating systems. 



Chapter 9: Network Infrastructure 



jBooks 



v 0 Two other powerful and free utilities can perform such functions as 
network analysis: 



ettercap (ettercap . sourcef orge . net) for Windows and UNIX- 
based operating systems. I cover ettercap in more detail in "ARP 
spoofing," later in the chapter. 

• dsniff (www .mo n key . org /-dugs on g/ dsn i f f) for UNIX-based 
operating systems. 

A network analyzer is just software running on a computer with a network 
card. It works by placing the network card in promiscuous mode, which enables 
the card to see all the traffic on the network, even traffic not destined to the 
network-analyzer host. The network analyzer performs the following functions: 

Captures all network traffic 
W Interprets or decodes what is found into a human-readable format 
ptA-STOf Displays it all in chronological order 

Here are a few caveats for using a network analyzer: 

V To capture all traffic, you must connect the analyzer to either 

• A hub on the network 

• A monitor/span/mirror port on a switch 

You should connect the network analyzer to a hub on the outside of the 
firewall, as shown in Figure 9-9, as part of your testing so you can see 
traffic similar to what a network-based IDS sees: 

• What's entering your network before the firewall filters eliminates 
the junk traffic 

• What's leaving your network after the traffic goes past the firewall 




Part III: Network Hacking 



pBodfe 

f Odd 



Whether you connect your network analyzer inside or outside your firewall, 
you see immediate results. It can be an overwhelming amount of information, 
an look for these issues first: 



traffic, such as 



• Unusual amount of ICMP packets 

• Excessive amounts of multicast or broadcast traffic 

• Packet types that don't belong, such as NetBIOS in a NetWare 
environment 

Internet usage habits, which can help point out malicious behavior of a 
rogue insider or system that has been compromised, such as 

• Web surfing 

• E-mail 

• IM 

Questionable usage, such as 

• Many lost or oversized packets 

• High bandwidth consumption that may point to a Web or FTP 
server that doesn't belong 

*** Reconnaissance probes and system profiling from port scanners and 
vulnerability-assessment tools, such as a significant amount of inbound 
traffic from unknown hosts — especially over ports that are not used 
very much, such as FTP or telnet. 

Hacking in progress, such as tons of inbound UDP or ICMP echo 
requests, SYN floods, or excessive broadcasts. 

v* Nonstandard host names on your network. For example, if your systems 
are named Computerl, Computer2, and so on, a computer named 
GEEKz4evUR should raise a red flag. 

V Hidden servers (especially Web, SMTP, FTP, and DHCP) that may be 
eating network bandwidth or serving illegal software or even access into 
your network hosts. 

**" Attacks on specific applications that show such commands as /bi n/rm, 
/bin/Is, echo, and cmd . exe. 



You may need to let your network analyzer run for quite a while — several 
hours to several days, depending on what you're looking for. 

Before getting started, configure your network analyzer to capture and store 
the most relevant data: 



If your network analyzer permits it, configure your network analyzer 
software to use a first-in, first-out buffer. 



Chapter 9: Network Infrastructure 



2^/^^\ This overwrites the oldest data when the buffer fills up, but it may be 

your only option if memory and hard drive space are limited on your 
ork-analysis computer. 

ur network analyzer permits it, record all the traffic into a capture 
file, and save it to the hard drive. This is the ideal scenario — especially 
if you have a large hard drive, such as 50GB or more. 

You can easily fill a several-gigabyte hard drive in a short period of time. 

When network traffic doesn't look right in a network analyzer, it proba- 
bly isn't. It's better to be safe than sorry. 

Run a baseline when your network is working normally. You can see any 
obvious abnormalities when an attack occurs. 




Clear-as-day decoding makes a network analyzer worth every penny you 
may pay. 

Figure 9-10 shows what a Smurf DoS attack can do to a network in just 30 
seconds. (I created this attack with BLADE Software's IDS Informer, but you 
can use other tools.) On a small network with very little traffic, the utilization 
number is 823 kilobits/second — not too large a number for a 100-megabit/ 
second Ethernet network. However, on a busy network with a lot more traffic, 
the number would be staggering. 



Figure 9-10: 

What a 
Smurf DoS 
attack looks 
like through 
a network 
analyzer. 







Ifj File Edit View Capture Send 


Monitor Tools Window 


Help 




□ • cs - a m i a a m i 


a l * * .a. t s. 


9 m»* i -» i 


Packets received: ^^^HETljuE] 




1 5% 


1 




Start Capture 


Packets Tittered: ^^^^EXHE 


h 


1 - 


Acce::il all tickets 


(Packets zl| 11 ° 






Statistic 


Current 




3 : General 






Start Date 


12/02/2003 




h Start Time 


10: 59:55 


=1 


Duration 


00:00:29 




Total Bytes 






Total Packets 


2,812 




Total Broadcast 


0 




Total Multicast 


0 




Average Utilization (kbits/s) 


823.466 




For Help, press Fl 5^3Com 3C920 Integrated Fast Ethernet Contrcfer 0C9O5C-TX Compattlte) 



Figure 9-1 1 shows the Smurf DoS attack on EtherPeek's conversation monitor. 
Three million bytes were transmitted in this short period of time — from 
one host. 

Figure 9-12 shows what a WANRemote backdoor remote administration 
tool (RAT) looks like across the network using EtherPeek. It shows the com- 
mands sent to get files from the local C: drive, kill UNIX processes, and unload 
X-Window. 



Part III: Network Hacking 



Figure 9-11: 



conversa 



conversa- 
tion via 
EtherPeek. 




Figure 9-12: 

WANRemote 
RAT- attack 
traffic. 



EtherPeek - [Capture 1] 




4$ Fie Edit View Capture 5end Monitor Tools Window Help 




n • £ - h # & a iTieou ■+ 




1 10 || | | Aiiiiefil .ill p.iLlief-: 






Packet Source ' Dest. Logical i Protocol 


Summary 


53 IP-10.11.12.Z03 IP-10. 11. 12.204 HTTP 
fifi TP-in. 1 1 . 12.203 TP-lfl. 1 1 .12.2nd HTTP 


C P0RT=1164 GET /process ?kill=800 


For Help, press Fl 9£) 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) 



If one workstation consumes considerably more bandwidth than the others — 
such as the 10.11.12.203 host in Figure 9-13 — dig deeper to see what's going 
on. (Such network hosts as servers often send and receive more traffic than 
other hosts.) 

Figure 9-14 shows an indication that a port scan is being run on the network. 
It shows all the different protocols and the small number of packets this analy- 
sis found, including Gnutella, telnet, and rlogin. 



Figure 9-13: 

Higher- 
than-normal 
network 
usage (as 
shown 
by the 
10.11.12.203 
host). 



^ EtherPeek - [Capture 1] 



File Edit View Capture Send Monitor Tools Window Help 

□ -6*-y#iaaEiai**iAT5.®Ei«i]->i 



Packets received: 
Packets filtered: 



Net Node 1 (Client) 



+1 ma 0.0.0.0 

a a 10.11.12.0 

S a 10.11.12.1 

* — 10.11.12-2 

5 — » 10.11.12-2 

fa-m 10.11.12.156 

$ mm 10.11.12.201 

it mm 10.11.12.201 

EE mm 10.11.12.203 

k mm 10,11.12.203 

E mm 10.11.12.203 

i ma 10.11.12.203 

EE ma 10.11.12.203 

±1 a 10.11.12.203 

EE « 10.11.12.203 

± a 10.11.12.204 

rsmt 10.11.12.205 

■£mm 10.11.12.205 

lJ 



Accept ■Fill packet: 



Stop Capture 



Met Mode 2 


Packets 


Bytes 


255.255.255.255 


1 


594 


10.11.12.203 


3,614 


32F,,8SS 


255.255.255.255 


1 


347 


10.11.12.255 


91:1 


1 4.799 


10.11.12.1 


2 


128 


10.11.12.255 


52 


6,664 


224.1 .0.1 


2 


128 


224.0.1 .40 


2 


128 


10.11.12.110 


574,028 


236,306,248 


255.255.255.255 


29,478 


31 ,508,354 


10.11.12.205 


6,754 


443,245 


10.11.12.255 


86 


11,420 


10.11. 12.1 


18 


1,887 


10.11.12.204 


34,616 


32,728,743 


10.11.12.2 


2,760 


470,924 


10.11.12.255 


45 


9,732 


10.11.12.255 


2 


128 


10.11.12.0 


2 


128 



128 wi 



\Packets ^Nocte: A Protocol-:. ScimiTiory AOifiph: A Loci }\ Conver sal ions ^ Filters / 
Capturing Bp 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) Packets: 102,000 Dur. 

For Help, press Fl Sj) 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) 



Chapter 9: Network Infrastructure 



)pBo 




Figure 9-14: 

Many 
nonstandard 
protocols 
can indicate 
that a port 
scan is 
taking 
place. 



*® EtherPeek - [Capture 1] 



EE 



Capture 5 end Monitor Tools Window Help 



Jj9jxj 



RPC 

X-Uindows 
v Il- 
linois 
TNS 

TELNET 

TDS 



ttelnet 

- rah 

RPC/NFS 
e login 



\ — 



'. l iFill packets 



II e @ m g 

Percentage 



192 
192 
192 
192 
192 



192 
192 



Packets ^ Nodes ^Protocols /^Summary ^Graphs ^Conversations ^Filters / 

Idle B@ 3Com 3C920~Integrated Fast Ethernet Controller (3C905C-TX Compatible) Packets! ;8,20S 

For Help, press Fl Bp 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) 



Check your network for a high number of ARP requests and ICMP echo 
requests proportionate to your overall traffic, as shown in Figure 9-15. 




Countermeasures 

A network analyzer can be used for good or evil. All these tests can be used 
against you, too. A few countermeasures can help prevent someone from 
using an unauthorized network analyzer, but there's no way to completely 
prevent it. 

If hackers can connect to your network (physical or wireless), they can cap- 
ture packets on the network, even if you're using a switch. 



Figure 9-15: 

Abnormally 
high ICMP 
and ARP 
requests 
show 
potential 
malicious 
behavior. 



jjr9 File Edit View Capture Send Monitor Tools Window Help _ 



r 3. e m n 



Start Caph 



Protocol 

- Ethernet Type 2 
B APP 

Request 



31 



T£ »] ">': U 0 

Percentage 



Response 

B IP 

&ICHP 

; i-Echo Re g 

Dest Unreach 
[ L EchQ Reply 

ftODP 

B TCP 




,226,688 
74,688 



11,955,094 i 
71,052 i 
384 j 
1,380,896 | 
2,029,464 j 



\ F an* et ; ,\ t'Jijri-:-::- prot-xol: ,\ Sumnwy /■, Oifiph: h '! on-.'^-t -Tut: one A Filter i 

Idle Bp 3Com 3C9~20 Integrated Fast Ethernet Controller (3C905C : TX Corr 

For Help, press Fl !iB3Com 3C920 Integrated Fast Ethernet Controller (3C905O / /r 



Part III: Network Hacking 



tnsure tri 

p Books 

ojttNG/ I ^ Keef 



Physical security 

ure that adequate physical security is in place to prevent a hacker from 
into your network: 




Keep the bad guys out of your server room and wiring closet. 

A special monitor port on a switch where a hacker can plug in a network 
analyzer is especially sensitive. Make sure it's extra secure. 

t<" Make sure that such unsupervised areas as unoccupied desks don't 
have live network connections. 



Netutork-anatyzer detection 

You can use a network- or host-based utility to determine if someone is run- 
ning an unauthorized network analyzer on your network: 

sniffdet (sni f fdet . sourcef orge .net) for UNIX-based systems 

PromiscDetect (ntsecurity.nu/toolbox/promiscdetect)for 
Windows 



These tools enable you to monitor the network for Ethernet cards that are 
running in promiscuous mode. You simply load the programs on your com- 
puter, and the programs alert you if they see promiscuous behaviors on the 
network (sniffdet) or local system (PromiscDetect). 



The MAOdaddy attack 

Attackers can use ARP (Address Resolution Protocol) running on your net- 
work to make their systems appear to be either your system or another 
authorized host on your network. 



ARP spoofing 

An excessive amount of ARP requests can be a sign of an ARP poisoning 
attack (or ARP spoofing) on your network. 



What happens is that a client running a program such as the UNIX-based 
dsniff or the UNIX- and DOS/Windows-based ettercap can change the ARP 
tables — the tables that store IP addresses to media access control (MAC) 
mappings — on network hosts. This causes the victim computers to think 
they need to send traffic to the attacker's computer, rather than the true des- 
tination computer, when communicating on the network. This is often referred 
to as a Man-in-the-Middle (MITM) attack. 

This security vulnerability is inherent in how TCP/IP communications are 
handled. 



Chapter 9: Network Infrastructure 



ipBooks- 

etterc; 



Here's a typical ARP spoofing attack with a hacker's computer (Hacky) and 
two legitimate network users' computers (Joe and Bob): 



poisons the ARP caches of victims Joe and Bob by using dsniff, 
ettercap, or a utility he wrote. 

2. Joe associates Hacky's MAC address with Bob's IP address. 

3. Bob associates Hacky's MAC address with Joe's IP address. 

4. Joe's traffic and Bob's traffic are sent to Hacky's IP address first. 

5. Hacky's network analyzer captures Joe's traffic and Bob's traffic. 

If Hacky is configured to act like a router and forward packets, it forwards 
the traffic to its original destination. The original sender and receiver 
never know the difference! 



Figure 9-16 shows the juicy e-mail stuff I found with ettercap. I loaded ettercap 
on my Windows computer, selected 10.11.12.204 as the source and 10.11.12.2 
as the destination, and used ARP poisoning. Voila! 



Figure 9-16: 

A sample 
of what 
hackers 
can find 
with ARP 
poisoning. 



© EtherPeek - [Laptur 



jj) File Edit View Capture Send Monitor Took Wjndow Help 



+i» | .J-.c C'E-nt rr.ly :;i;n:l: 



- - * 



21 IP-10. 11. 12. 204 

22 IP-10. 11. 12. 2 
27 IP-10. 11.12.204 
30 I IP-10. 11. 12.2 
33 IP-10. 11. 12. 204 

105 IP-10. 11. 12. 204 

106 1 IP-10. 11. 12.2 
For Help, press Fl 



IP-10. 11. 12. 2 
IP-10. 11. 12. 204 

IP-10.11. 12.2 

IP-10. 11. 12. 204 
j IP-l6.ll. 12.2 
" IP-10.11. 12.2 
IP-10. 11. 12.204 



; SHTP 

SHTP 
j P0P3 _ 

P0P3 



C P0RT=2219 HAIL FR0M:<... 

R PORT-2219 250 sendee ... 

C PORT-2219 RCPT T0:<kD... 

R PORT-2219 250 Recipie... 

C PORT-2219 RSET 

C PORT-2221 3TAT 
P P0RT=2221 +0K 0 0 



5) 3Com 3C920 Integrated Fa^t Ethernet Controller (3C905C-TX Compatible) 



Spoofed ARP replies can be sent to a switch very quickly which often crashes 
the switch. The switch reverts to broadcast mode, which makes it work like a 
hub. When this occurs, an attacker can sniff every packet going through the 
switch without bothering with ARP spoofing. 

MAC-address spoofing 

MAC-address spoofing tricks the switch into thinking you (actually, your com- 
puter) are someone else. You simply change your MAC address and masquer- 
ade as another user. 



You can use this trick to test such access control systems as your IDS, fire- 
wall, and even operating-system login controls that check for specific MAC 
addresses. 



Part III: Network Hacking 



UNIX-based systems 



_N _ InJJNIXa 

DropBocms 



and Linux, you can spoof MAC addresses with the ifconfig utility, 
ese steps: 





1. While logged in as root, use ifconfig to enter a command that disables 
the network interface. Insert the network interface number that you 
want to disable (usually, ethO) into the command, like this: 

[root@l ocal host root]# ifconfig ethO down 

2. Enter a command for the MAC address you want to use. 

Insert the fake MAC address and the network interface number (ethO) 
into the command again, like this: 

[rootgl ocal host root]# ifconfig ethO hw ether new_mac_dddress 

You can use a more feature-rich utility called MAC Changer (www . a 1 obbs . 
com/macchanger) for Linux systems. 

Windows 

You can use regedit to edit the Windows Registry, but I like using a neat 
Windows utility called SMAC (www . kl cconsul ti ng . net/smac), which makes 
MAC spoofing a simple process. Follow these steps to use SMAC: 

1. Load the program. 

2. Select the adapter for which you want to change the MAC address. 

3. Enter the new MAC address in the New Spoofed MAC Address fields, 
and click Update MAC. 

4. Stop and restart the network card with these steps: 

i. Right-click the network card in Network and Dialup Connections. 

ii. Select Disable, and then right-click again and click Enable for the 
change to take effect. 

You may have to reboot for this to work properly. 

5. Click Refresh in the SMAC interface. 

You should see something similar to the SMAC screen capture in 
Figure 9-17. 

To reverse Registry changes with SMAC, follow these steps: 

1. Select the adapter for which you want to change the MAC address. 

2. Click Remove MAC. 



Chapter 9: Network Infrastructure 



>Pfipoks 




3. Stop and restart the network card with these steps: 

i. Right-click the network card in Network and Dialup Connections. 

Select Disable, and then right-click again and click Enable for the 
change to take effect. 



You may have to reboot for this to work properly. 
4. Click Refresh in the SMAC interface. 

You should see your original MAC address again. 



Figure 9-17: 

SMAC 
showing a 
spoofed 
MAC 
address. 



AC 1.1 [WBEMOn] 



"=1 



ID 


Active 


Spoofed 


Network Adapter 


IPAddier: 


Active MAC 































































































W Show Only Active Network Adapters 
New Spooled MAC Address 

| 00 -| 11 -] 22 -| 33 -| 44 -| 55 xj 

Spoofed MAC Address 



100-11-22-33-44-55 
Active MAC Address 



00-11-22-33-44-55 



KLC CONSULTING, INC 

www. klcconsulting. net/smac 



['i.-': I jimeJ U.-<; [hi; program "il you - vv.'n ri/l ,:~ r ■■!-.■; :■ •- ■ .■ .1 v i 1 : | ; i :! ■ ■ r ;r ;.y; tern Tt i ; 

| program is not lo be usedtof any illegal or unethical purpose Do not use this program if you do not agree with this disclaimer. 



Countermeasures 

A few countermeasures on your network can minimize the effects of a hacker 
attack against ARP and MAC addresses on your network. 



Pretention 

You can prevent MAC-address spoofing if your switches can enable port secu- 
rity to prevent automatic changes to the switch MAC address tables. 




No realistic countermeasures for ARP poisoning exist. The only way to prevent 
ARP poisoning is to create and maintain static ARP entries in your switches for 
every host on the network. This is definitely something that no network admin- 
istrator has time to do! 



Detection 

You can detect these two types of hacks through either an IDS or a stand-alone 
MAC address monitoring utility. 



Part III: Network Hacking 



Arpwatch is a UNIX-based program alerts you via e-mail if it detects changes 
in MAC addresses associated with specific IP addresses on the network. 



Denial-of-service (DoS) attacks are among the most common hacker attacks. A 
hacker initiates so many invalid requests to a network host that it uses all its 
resources responding to them and ignores legitimate requests. 

boS attacks 

The following types of DoS attacks are possible against your network and 
hosts, and can cause systems to crash, data to be lost, and every user to 
jump on your case, wondering when Internet access will be restored. 

Individual attacks 

Here are some common DoS attacks: 

V* SYN floods: The attacker literally floods a host with TCP SYN packets. 

i>* Ping of Death: The attacker sends IP packets that exceed the maximum 
length of 65,535 bytes, which can ultimately crash the TCP/IP stack on 
many operating systems. 

WinNuke: This attack can disable networking on older Windows 95 and 
NT computers. 

Distributed attacks 

Distributed DoS (DDoS) attacks have an exponentially greater impact on their 
victims. The most famous was the DDoS attack against eBay, Yahoo!, CNN, 
and dozens of other Web sites by the hacker known as MafiaBoy. These are 
some common distributed attacks: 

Smurf attack: An attacker spoofs the victim's address and sends ICMP 
echo request (ping packets) to the broadcast address. The victim com- 
puter gets deluged with tons of packets in response to those echo 
requests. 

Trinoo and Tribe Flood Network (TFN) attacks: Sets of client- and 
server-based programs launch packet floods against a victim machine, 
effectively overloading it and causing it to crash. 

DoS attacks can be carried out with tools that the hacker either writes or 
downloads off the Internet. These are good tools to test your network's 
IDS/IDP and firewalls. You can find programs that allow actual attacks and 
programs, such as BLADE Software's IDS Informer, that let you send con- 
trolled attacks. 




Denial of service 



Chapter 9: Network Infrastructure 



■— ^ |— ^ Your tirst 

DropBoQKs 

<,j»NG/ Don't tesi 



Testing 

Your first DoS test should be a search for DoS vulnerabilities from a port- 
and network-analysis perspective. 




Don't test for DoS unless you have test systems or can perform controlled 
tests with the proper tools. Poorly planned DoS testing is a job search in the 
making. It's like trying to delete data from a network share remotely and 
hoping that the access controls in place are going to prevent it. 

Countermeasures 

Most DoS attacks are difficult to predict, but they can be easy to prevent: 



Test and apply security patches as soon as possible for such network 
hosts as routers and firewalls, as well as for server and workstation 
operating systems. 

f Use IDS and IDP systems to monitor regularly for DoS attacks. 

You can run a network analyzer in continuous capture mode if you can't 
justify the cost of an all-out IDS or IDP solution. 

V Configure firewalls and routers to block malformed traffic. You can do 
this only if your systems support it, so refer to your administrator's 
guide for details. 

Minimize IP spoofing by either 

• Using authentication and encryption, such as a Public Key 
Infrastructure (PKI) 

• Filtering out external packets that appear to come from an internal 
address, the local host (127.0.0.1), or any other private and non- 
routable address such as lO.x.x.x, 172.16.x.x-172.31.x.x, or 
192.168.x.x 

V Block all ICMP traffic inbound to your network unless you specifically 
need it. Even then, you should allow it only in to specific hosts. 

V Disable all unneeded TCP/UDP small services (such as echo and chargen). 

Establish a baseline of your network protocols and traffic patterns before a 
DoS attack occurs. That way, you know what to look for. And periodically 
scan for such potential DoS vulnerabilities as rogue DoS software installed on 
network hosts. 




Work with a minimum necessary mentality when configuring your network 
devices such as firewalls and routers: 



Identify traffic that is necessary for approved network usage. 
i>* Allow the traffic that's needed. 
i>* Deny all other traffic. 



Part III: Network Hacking 



3BoqJ$ 



General network defenses 



iss of the specific attacks against your system, a few good practices 
'prevent many network problems: 



Stateful inspection on firewalls. This can help ensure that all traffic tra- 
versing it is legitimate and can prevent DoS attacks and other spoofing 
attacks. 

v 0 Rules to perform packet filtering based on traffic type, TCP/UDP ports, 
IP addresses, and even specific interfaces on your routers before the 
traffic is ever allowed to enter your network. 

i>* Proxy filtering and Network Address Translation (NAT). 

Finding and eliminating fragmented packets entering your network (from 
Fraggle or other type of attack) via an IDS or IDP system. 

f Segmenting and firewalling these network segments: 

• The internal network in general 

• Critical departments, such as accounting, finance, HR, and 
research 




Chapter 10 

DropBooks wire|es$LANs 



In This Chapter 

Understanding risks of wireless LANs 
Selecting wireless LAN hacking tools 
Hacking against wireless LANs 
Minimizing wireless network security risks 



■ /ireless local area networks (WLANs) — specifically, the ones based on 
▼ ▼ the IEEE 802.11 standard — are increasingly being deployed into both 
business and home networks. Next to instant messaging and personal video 
recorders, WLANs are the neatest technology I've used in quite a while. Of 
course, with any new technology come security issues, and WLANs are no 
exception. In fact, the 802.11b wireless technology has been the poster child 
for weak security and network hack attacks for several years running. 

WLANs offer a ton of business value, from convenience to reduced network 
deployment time. Whether your organization allows wireless network access 
or not, testing for WLAN security vulnerabilities is critical. In this chapter, I 
cover some common wireless network security vulnerabilities that you should 
test for. And I discuss some cheap and easy countermeasures you can imple- 
ment to help ensure that WLANs are not more of a risk to your organization 
than they're worth. 



Understanding the Implications of 
Wireless NetWork Vulnerabilities 

WLANs are very susceptible to hacker attacks — even more so than wired 
networks are (discussed in Chapter 9). They have vulnerabilities that can 
allow a hacker to bring your network to its knees and allow your information 
to be gleaned right out of thin air. If a hacker comprises your WLAN, you can 
experience the following problems: 



Part III: Network Hacking 



V Loss of network access, including e-mail, Web, and other services that 



can cause business downtime 



DBocte 



of confidential information, including passwords, customer data, 
lectual property, and more 



Legal liabilities associated with unauthorized users 

Most of the wireless vulnerabilities are in the 802.1 1 protocol and within wire- 
less access points (APs) — the central hublike devices that allow wireless 
clients to connect to the network. Wireless clients have some vulnerabilities 
as well. 



Various fixes have come along in recent years to address these vulnerabili- 
ties, but most of these fixes have not been applied or are not enabled by 
default. You may also have employees installing rogue WLAN equipment on 
your network without your knowledge; this is the most serious threat to your 
wireless security and a difficult one to fight off. Even when WLANs are hard- 
ened and all the latest patches have been applied, you still may have some 
serious security problems, such as DoS and man-in-the-middle attacks (like 
you have on wired networks), that will likely be around for a while. 



Choosing \lour Tools 

Several great WLAN security tools are available for both the Windows and 
UNIX platforms. The UNIX tools — which mostly run on Linux and BSD — can 
be a bear to configure and run properly if the planets and stars are not prop- 
erly aligned. The PC Card services in Linux are the trickiest to set up, depend- 
ing on your type of WLAN card and your Linux version. 

Don't get me wrong — the UNIX-based tools are excellent at what they do. 
Programs such as Kismet (www . ki smetwi rel ess . net), AirSnort (ai rsnort . 
shmoo . com), AirJack (802 . llni n j a . net/a i r j ack), and Wellenreiter (www. 
wellenreiter.net) offer many features that most Windows-based applica- 
tions don't have. These programs run really well if you have all the Linux 
dependencies installed. They also offer many features that you don't need 
when assessing the security of your WLAN. 

In the spirit of keeping things simple, the tests I outline in this chapter require 
only Windows-based utilities. My favorite tools for assessing wireless tools in 
Windows are as follows: 

NetStumbler (www . netstumbl er . com) for AP discovery and enumeration 

Wireless client management software — such as Orinoco's Client Manager 
software — for AP discovery and enumeration 



Chapter 10: Wireless LANs 



•pBooks 



*>* WildPackets' AiroPeek (www . wi 1 dpackets . com) or your favorite WLAN 
analyzer for detailed information on wireless hosts, decryption of 



ypted traffic, and more 



guard Network Security Scanner (www . gf i .com) for WLAN enumera- 
tion and vulnerability scanning 



A case study with Matt Caldwell 
on hacking wireless networks 



Matt Caldwell, shared with me a wild story of a 
wireless warflying experience — yes, it's 
wardriving, but in an airplane! Here's his 
account of what happened. 

The Situation 

Mr. Caldwell's employer — the state of 
Georgia — wanted to have the state's wireless 
networks assessed. The problem with terrestrial 
wardriving is that it's very slow, so Mr. Caldwell 
and his team conducted an experimentto deter- 
mine the most economical way to assess the 
access points across the state of Georgia, which 
comprised 47,000 employees and 70 agencies. 
They knew the location of the buildings and 
knew they had to visit all of them. As a test, they 
drove around one building to count the number 
of access points they detected and concluded 
that it would take almost six months to assess all 
the state buildings. 

In his spare time, Mr. Caldwell flies single- 
engine aircraft, and he decided that if the mili- 
tary could gather intelligence via aircraft, so 
could he! After getting through some political 
red tape, he and a fellow aviator used ducttape 
to mount an antenna on a Cessna 172RG (he 
thanks MacGyver for this idea!). He mounted 
the antenna at a 90-degree angle from the 
plane's nose so that he could make notes on the 
direction of the plot point. By doing some simple 
math, plus 90 degrees gave them radial on the 
approximate bearing of the target access point. 



The Outcome 

As Mr. Caldwell and his colleague climbed 
above 500 feet, NetStumbler (the wireless 
assessment software they were using) began 
chiming overthe engine noise with its "bongs." 
It seemed like every second, a new wireless AP 
was being discovered. They made their way 
around downtown Atlanta and detected over 
300 unique APs at about 2,000 feet AGL. They 
proved that warflying can be an effective 
method of detecting access points and a great 
statistical-gathering activity. They collected 
data on 382 APs in less than one hour in the air! 

Matt Caldwell's Lessons Learned 

Don't eat a McDonald's double cheese- 
burger before flying — or at least carry a 
barf bag! 

Use extra duct tape and a safety rope, or 
put the antenna in the aircraft. 

\* Use good software to do triangulation so 
you don't have to calculate the position 
manually. 

Seventy percent of the APs detected had no 
WEP encryption! 

t<" Almost 50 percent of the APs detected had 
default SSIDs. 

Matt Caldwell, CISSP, is founder of and chief 
security officerfor GuardedNet, Inc. 



1 50 Part Network Hacking 



witn an u 

DropBodte 

that most 




You also need the proper hardware. A good setup I've used is a laptop PC 
with an Orinoco (formerly made by Lucent, now Proxim) 802.11b PC Card. 

is not only compatible with NetStumbler, but also has an antenna 
r that allows you to connect an external antenna. Another bonus is 
that most wireless security tools are very friendly with the Orinoco card. A 
lot of security tool support is available for the Prism2 chipset found in wire- 
less cards by Belkin, D-Link, Linksys, and more. Before you purchase a wire- 
less PC Card or PCI adapter, verify what chipset it has to ensure compatibility 
with the majority of security tools. The SeattleWireless HardwareComparison 
page (www .seattlewireless.net/index.cgi/HardwareComparison)isa 
good reference for this type of information. 

You can also use a handheld wireless security testing device such as an 
AirMagnet (www . ai rmagnet . com) or the Fluke WaveRunner (www . f 1 uke 
networks .com). Both devices have their own built-in programs that are 
great for testing security settings on your WLAN. 

An external antenna is also something to consider as part of your arsenal. I 
have had good luck running tests without an antenna, but your mileage may 
vary. If you're performing a walk-through of your facilities to test for wireless 
signals, for example, adding an additional antenna increases your odds of 
finding legitimate — and, more important, unauthorized APs. You can choose 
among three main types of wireless antennas: 

i>* Omnidirectional: Transmits and receives wireless signals 360 degrees 
over shorter distances, such as in boardrooms or reception areas. These 
antennas, also known as dipoles, typically come installed on APs from 
the factory. 

i>* Semidirectional: Transmits and receives directionally focused wireless 
signals over medium distances, such as down corridors and across one 
side of an office. 

V Directional: Transmits and receives highly focused wireless signals over 
long distances, such as between buildings. This antenna, also known 
as a high-gain antenna, is the antenna of choice for wireless hackers dri- 
ving around cities looking for vulnerable APs — an act also known as 
wardriving. 

As an alternative to the antennas described in the preceding list, you can use a 
nifty Pringles-can design. If you're interested in trying this, check out the article 
at www . orei 1 1 ynet . com/cs/webl og/vi ew/wl g/448 for details. You can even 
try other alternatives, such as a pork-and-beans can! A simple Internet search 
turns up a lot of information on this subject, if you're interested. One site in 
particular sells a Cantenna kit pretty cheaply at mywebpages . comcast . net/ 
hughpep. 



Chapter 10: Wireless LANs 



Wireless LAN Discovery 



pBooks 

at a minir 



have an Internet connection, wireless hardware (a wireless card, 
at a minimum), and wireless testing software (NetStumbler or similar client 
management software, at a minimum), you're ready to roll. 



Checking for Worldwide recognition 

The first test requires only the MAC address of your AP and access to the 
Internet. You're testing to see if someone has discovered your WLAN and 
posted information about it for the world to see. If you're not sure what your 
AP's MAC address is, you should be able to view it by using the a rp -a com- 
mand in DOS. You may have to ping the access point's IP address first so the 
MAC address is loaded into your ARP cache. Figure 10-1 shows what this may 
look like. 



Figure 10-1: 

Finding 
the MAC 
address 
of an AP 
using arp. 





HI-IE3 


C:\UINNT>arp -a 


=1 


Interface: 10.11.12.203 on Interface 0x1000005 

Internet Address Physical Address Type 
10.11.12.201 00-00-0h-ad-be-ef static 




|c = vUINNT>_ 





After you have the AP's MAC address, browse to the WiGLE database of WLANs 
(www . wi gl e .net) to see if your AP is listed. You have to register with the site 
to perform a database query, but it's worth it. After you select the Query link 
and login, you see a screen similar to Figure 10-2. You can enter such AP infor- 
mation as geographical coordinates, but the simplest thing to do is enter your 
MAC address in the format shown. 

If your AP is listed, that means that someone has discovered it — most likely 
via wardriving — and has posted the information for others to see. You need 
to start implementing the security countermeasures listed in this chapter as 
soon as possible to keep others from using this information against you! You 
can also check www .wi fi maps . com to see if your AP is listed at another 
WLAN lookup site. 



Part III: Network Hacking 



iy AMtMHttZLIi PHMC 



Figure 10-2: 

Searching 
for your 
wireless 
APs using 
theWiGLE 
database. 



3 WiGLE - Wireless Geographic Logging Engine - Plotting WiFi on Maps - Mil 



File Edit View Favorite? Tool? Help I* 

.... wmm 

£ 2| £}" ^Search Je] Favorites ^Media £ Z^- 



v. wig e.riet/gpsi'gps/GPSDB/qLiety/ 



~z\\ j&Search Web - (^Search Site 



I Duv/iilQad I Forums | Post File j 
Maps j VVjLj I Logout 

Query the DB 



Query for networks 

Latitude (47.252643): f 

Longitude (- r 

87.256243): 1 

Last Update r 

(20010925174546): 1 

BSSLDorMAC r 
(0A:2C:EF:3D:25:1B):' 
SSID or Network 
Name (foobar): 



r I Screenshots | Stats | Uploads | Web — 



r Must Be aFreeNet 
l~~ Must Be a Commercial Pay Net 
r Must Have DHCP Enabled 
I - Simple Output 

P Only Networks I Was the First to Discover 



| Query | Reset j 

<i 



j 



$ Internet 



Scanning your beat airutaVes 

Monitor the airwaves around your building to see what authorized and unau- 
thorized APs you can find. You're looking for the SSID (service set identifier), 
which is your WLAN's name. If you have multiple WLANs, each one has a net- 
work SSID associated with it. 



Here's where NetStumbler comes into play. NetStumbler can discover SSIDs 
and other detailed information about wireless APs, including the following: 



i^ MAC address 

V Name 

V Radio channel in use 
Vendor name 

i>* Whether encryption is on or off 



W RF signal strength (signal-to-noise ratio) 



Chapter 10: Wireless LANs 



iNetstumc 

ipBoote 

with their 



Figure 10-3 shows an example of what you might see when running 
NetStumbler in your environment. The information that you see here is what 
n see. NetStumbler and most other tools work by sending a probe- 
ignal from the client. Any APs within signal range must respond to 
with their SSIDs — that is, if they're configured to broadcast their SSIDs. 



Figure 10-3: 

NetStumbler 
displays 
detailed 

data on APs. 



i Network Stumbler - [capture t.nsl] 








HI-IB 


\S\ File Edit View 


Device Window Help 








... 's; xj 


□ G? Q > % Gf fi a > vB m f 


S "jj" Channels 


MAC | SSID | Ch 


Vendor 


Ty... 


| Encr . 


| SNR | 


S SSIDs 
m f Filters 


• 0040963... hackme 1* 
®0030AB... GoociCoffeeHere 1 


Cisco (Aironel) 
Delta (Netgear) 


AP 
AP 


WEF 
WEP 


24 






j 






li 


Ready 


1 AP active 






1 


GP5:Oisi 



Kismet — the popular wireless sniffer (network analyzer) for Linux and BSD 
UNIX — looks not only for probe responses from APs like NetStumbler does, 
but also for other 802.11 management packets, such as association responses 
and beacons. This allows Kismet to detect the presence of a WLAN even when 
probe-response packets are disabled in the AP — something that NetStumbler 
can't do. 

When you're using certain wireless security assessment tools, including 
NetStumbler and AiroPeek, your adapter may be put in passive monitoring 
mode. This means you can no longer communicate with other wireless hosts 
or APs while the program is loaded. Also, some programs require a specialized 
driver for your wireless card that often disables normal WLAN functionality. If 
this is the case, you need to roll back (reinstall) the original adapter's driver 
(supplied by the vendor) to restore the standard functions of your adapter. 

The best way to search for APs that are not broadcasting their SSIDs 
from within Windows is to use a WLAN analyzer such as AiroPeek (my 
favorite) — which is the sister product of the excellent wired network ana- 
lyzer EtherPeek — or TamoSoft's CommView for Wi-Fi (www . tamos . com/ 
products /commwi f i), which I've heard great things about. You can do this 
by enabling a capture filter on 802.11 management packets, as shown in 
AiroPeek's options in Figure 10-4. 

An ad-hoc mode — a peer-to-peer type setup — in WLANs can allow wireless 
clients to communicate directly with one another without having to pass 
through an AP. These types of WLANs operate outside the normal wireless 
security controls and, thus, can cause serious security issues above and 
beyond the normal 802.1 1 vulnerabilities. The best way to detect these rogue 
networks is to use NetStumbler. You can also use a WLAN analyzer or wire- 
less IDS and search for beacon packets where the ESS field is not equal to 1. 



Part III: Network Hacking 



dBoo 



General | Adapter ] 602.11 ] Triggers FftWs | statistics Output | 



Figure 10-4: 

AiroPeek 
detects APs 
that don't 
broadcast 
SSIDs. 





Comment 




□ 802.11 Ad-Hoc Network 


Beacon frames wrth ESS !... 




□ 802.1 1 Beacons 


Beacon packets 




□ 802.11 Control 


Control packets 




□ 802.11 Data 


Data packets 




□ 802 I t From PS 






□ 802 11 More Data 


More data bit on 




□ 802.11 More Fragments 


More fragments bit on 




□ 802 .11 No Beacons 


Exclude beacon packets 




□ 802.11 Order 


Order bit on 




□ 802.11 Retry 


Retry bit on 




□ 802.11 ToDS 


Packets to DS 




□ 802.11 WEP Packets 


Encrypted packets 




□ AppleTalk 


AppleTalk packets 




□ AppleTalk Broadcast 


Packets to the AppleTalk b 




□ Broadcast 


Physical layer broadcasts 


» 



Wireless Network Attacks 

Various malicious hacks — including various DoS attacks — can be carried 
out against your WLAN. This includes APs that are forced to reveal their SSIDs 
during the process of being disassociated from the network and rejoining. In 
addition, hackers can literally jam the RF signal of an AP — especially in 
802.1 lb and 802.1 lg systems — and force the wireless clients to reassociate 
to a rogue AP masquerading as the victim AP. Hackers can create man-in-the- 
middle attacks by maliciously using tools such as ESSID-jack and monkey-jack 
and can flood your network with thousands of packets per second by mali- 
ciously using packet-generation tools such as Gspoof or LANforge — enough 
to bring the network to its knees. Even more so than with wired networks, this 
type of DoS attack is practically impossible to prevent on WLANs. 

Various hacking tools for the UNIX platform can perform these types of hacks, 
including Cqure AP, HostAP, and AirJack. After hackers carry out these types 
of attacks against your WLAN, they can attempt to capture traffic and pene- 
trate into any systems that attach to it. 

You can carry out several — nonmalicious — attacks against your WLAN. The 
associated countermeasures help protect your network from these vulnera- 
bilities, as well as from the malicious attacks previously mentioned. When 
testing your WLAN security, look out for the following weaknesses: 

W Unencrypted wireless traffic 
Unauthorized APs 



Chapter 10: Wireless LANs 



I— ^ tf* Wire 

ipBoof^ 



I v 0 RF signals that are too strong 

Wireless equipment that's easy to access physically 
ult configuration settings 



A good starting point for testing is to attempt to attach to your WLAN as an 
outsider and run a vulnerability-assessment tool, such as LANguard Network 
Security Scanner. This test enables you to see what others can see on your 
network, including information on the OS version, open ports on your AP, and 
even network shares on wireless clients. Figure 10-5 shows the type of infor- 
mation that can be revealed about an AP on your network. 



Figure 10-5: 

A LANguard 
scan of a 
potentially 
vulnerable 
AP. 



' GFI LANguard Network Security Scanner v(3.2) 



Fife Edit View Scan Patches Tools LANguard Tray Help 

O©|Dffl|[0&r*l^-| 



B & Target:fe|l0.11.12.201 



10.11. 12.201 [ap] (Wireless Access Point) 



SNMP (system) 

Gf sysDescr:CiscoAP34011.10T1 
3 sysU pT ime : G days, 1 3 hours, 58 minutes, 1 1 seconds 
Of sysContact : Aironet Wireless Communications, Inc. 
JS sysName : ap 

jf Object 10:1.2.3.4.5.6.7.8.901 (Cisco CAP341 ) 
/4 Vendor : cisco 
B Time to live (TTL| : G4 (64) ■ Same network segment 
jg, TCP Ports (2) 

o 23 [ Telnet => Remote Login Protocol ] 
fi ■# 80 [Http=> World Wide Web, HTTP] thttpd/2.03 11jul98 
|g] UDPPoits(2) 
j— • 68 [ bootpc => Bootstrap Protocol Client ] 

* 151 [ SNMP => Simple Network Management Protocol ] 
& Alert* (2) 
l£ J Service Alerts (21 

3 [•) SNMP service is enabled on this host 

[£ Description : Numerous vulnerabilities have been reported in multiple vendors' SNMP ii 
£) Bugtraq ID /URL http,//www cert org/advisories/CA^OO^Oahtml 
3 Q] Telnet service is running 

jS Description : This service is dangerous because it doesn't encrypt data. Sensitive inlor 

I jJ 



Encrypted traffic 

Wireless traffic can be captured directly out of the airwaves, making this com- 
munications medium susceptible to malicious eavesdropping. Unless the traffic 
is encrypted, it's sent and received in cleartext just like on a standard wired 
network. On top of that, the 802.11 encryption protocol, Wired Equivalent 
Privacy (WEP), has its own weakness that allows hackers to crack the encryp- 
tion keys and decrypt the captured traffic. This vulnerability has helped put 
WLANs on the map — so to speak. 

WEP, in a certain sense, actually lives up to its name: It provides the privacy 
equivalent to that of a wired network and then some. However, it was not 
intended to be cracked so easily. WEP uses a fairly strong symmetric (shared- 
key) encryption algorithm called RC4. Hackers can observe encrypted wireless 
traffic and recover the WEP key due to a flaw in how the RC4 initialization 



Part III: Network Hacking 



mat ti 

pBodte 



vector (IV) is implemented in the protocol. This weakness is due to the fact 
that the IV is only 24 bits long, which causes it to be repeated every 16.7 mil- 
ets — even sooner in many cases, based on the amount of wireless 
itering and leaving the network. 




Most WEP implementations initialize WLAN hardware with an IV of 0 and 
increment it by one for each packet sent. This can lead to the IV's being 
reinitialized — started over at 0 — approximately every five hours. Given 
this, WLANs that have a small number of clients transmitting a relatively 
small rate of wireless packets are normally more secure than large WLANs 
that transmit a lot of wireless data. 



Using various UNIX-based tools such as WEPCrack (wepcrack. 
sourcef orge . net), AirSnort (ai rsnort . shmoo .com), and WepAttack 
(wepattack . sourcef orge .net), hackers need to collect only a few hours' 
up to a few days' (depending on how much wireless traffic is on the network) 
worth of packets to be able to break the WEP key. 




A longer key length, such as 128 bit or 192 bit, doesn't make WEP exponentially 
more difficult to crack. This is because WEP's static key scheduling algorithm 
requires only that about 20,000 or so additional packets be captured to crack 
a key for every extra bit in the key length. 



Although WEP is crackable, it's still much better than no encryption at all. 
Similar to the effect that home-security-system signs have on would-be home 
intruders, a wireless LAN running WEP is not nearly as attractive to a hacker 
as one without it. The hacker is likely to just move on to easier targets. 

You can carry out this attack against your network, but it probably won't 
prove anything other than WEP is vulnerable. After you implement the WEP 
countermeasures mentioned in the next section, you can always run some of 
the WEP cracking tools to ensure that the countermeasures are working. 




If you need to use your WLAN analyzer to view traffic as part of your security 
assessment, you won't be able to see any traffic if WEP is enabled unless you 
know your WEP key. You can enter your key into your analyzer, but just 
remember that hackers can do the same thing if they're able to crack your 
WEP key using one of the tools I mention earlier! 



Figure 10-6 shows an example of how you can view protocols on your WLAN 
by entering your WEP key into AiroPeek via the 802.11 tab in the Capture 
Options window before you start your packet capture. 



Countermeasures 

The simplest solution to the WEP problem is to use a VPN for all wireless com- 
munications. You can easily implement this in a Windows environment — for 



Chapter 10: Wireless LANs 



ipBooRiS 



free — by enabling PPTP for client communications. You can also use the 
IPSec support built into Windows, as well as SSH, SSL/TLS, and other propri- 
dor solutions, to keep your traffic secure. 



Figure 10-6: 

Using 
AiroPeek 
Client 
Managerto 
search for 
rogue APs. 



'Q AiroPeek - [Capture 1] 



Tools Window Help 



■ .1 SS% | 

| +?* I Accept only packets rr 



HilEEE 802.11 



B 802.11 Data 

B 3¥AP 

B IP 

- Trp 

SMTP 
HTTP 

! - SSH 



P-n-rn 1 -i.j .'■ 



B NetBIOS 
* SessHsg 
llane Svc 
Sess Req 
Pos Sess.. 



P0P3 
CIFS 
PPTP 



apturing wireless ChanneJ: 1 Packets 



11,931 
1,107 



15,720 
2,276 
1,680 



12,523 : 
6^588 : 
9,723 j 




|\ 3 auge ft Value / 
For Help, press Fl 



2/13/2004 19:13:18 
2/1 3/2004 19:13:18 
2/13/2004 19:13:18 



Rv-Lulvei.l event 302 1 1 Retry i> l.'i 
littp. .'.'cli.-mmie; .com. 1 " from pel 
http//tfummles.comAWeyCDA/trcrn ... 
http: /it ooltiarqueries . google .akadns .n . . . 
rttp: //dummies .com/i'VlleyC D A/site/du . . . 

fljl wireless [channel: 1 



Newer 802.11-based solutions exist as well. If you can configure your wireless 
hosts to regenerate a new key dynamically after a certain number of packets 
have been sent, the WEP vulnerability can't be exploited. Many AP vendors 
have already implemented this fix as a separate configuration option, so check 
for the latest firmware with features to manage key rotation. For instance, the 
proprietary Cisco LEAP protocol uses per-user WEP keys that offer a layer of 
protection if you're running Cisco hardware. 

The wireless industry has come up with a solution to the WEP problem called 
Wi-Fi Protected Access (WPA). WPA uses the Temporal Key Integrity Protocol 
(TKIP) encryption system, which fixes all the known WEP issues. WPA requires 
an 802. lx authentication server, such as a RADIUS server, to manage user 
accounts for the WLAN. Check with your vendor for WPA updates. 

A forthcoming 802. Hi standard from the IEEE integrates the WPA fixes and 
more. This standard is an improvement over WPA but is not compatible with 
older 802.11b hardware, due to its implementation of the Advanced Encryption 
Standard (AES) for encryption. The workaround for this is to use TKIP, which is 
backward-compatible with older hardware because it uses the RC4 encryption 
scheme. Keep an eye out for 802.1 li support for your wireless hardware. 



/ Part III: Network Hacking 




Rogue networks 



t for unauthorized APs and wireless clients attached to your net- 
t are running in ad-hoc mode. 

Using NetStumbler or your client manager software, you can test for APs that 
don't belong on your network. You can also use the network monitoring fea- 
tures in a WLAN analyzer such as AiroPeek. 



Look for the following rogue AP characteristics: 

f* Odd SSIDs, including the popular default ones linksys, tsunami, comcom- 
com, and wireless. 

Odd AP system names — that is, the name of the AP if your hardware 
supports this feature — not to be confused with the SSID. 

MAC addresses that don't belong on your network. Look at the first 
three bytes of the MAC address (the first six numbers), which specify 
the vendor name. You can perform a MAC-address vendor lookup at 
coffer . com/mac_f i nd to find information on APs you're unsure of. 

Weak radio signals, which can indicate that an AP has been hidden away 
or is on the outside of your building. 

i>* Communications across a different radio channel than what your net- 
work communicates on. 

A degradation in network throughput for any WLAN client. 

Figure 10-7 shows how you can use AiroPeek's Monitor utility to spot an odd 
network host (the NETGEAR system) when you have a Cisco Aironet-only net- 
work, or vice versa. 

My test network for this example is small compared to what you might see, 
but you get the idea of how an odd system can stand out. 




Don't rely solely on this method. Hackers can spoof their MAC addresses, 
making them look like Cisco Aironet systems that belong on your network. 



Walk around your building or campus to perform this test to see what you 
can find. Physically look for devices that don't belong — a well-placed AP or 
WLAN client that's turned off won't show up in your network analysis tools. 
Search near the outskirts of the building or near any publicly accessible 
areas. Scope out boardrooms and the offices of upper-level managers for any 
unauthorized devices. These are places that are typically off-limits but often 
are used as locations for hackers to set up rogue APs. 



Chapter 10: Wireless LANs 




Fipre nf-7: 

Using 
AiroPeek's 
Monitor to 
spot a 
product that 
doesn't 
belong. 



- - ■ 



Capture Send Monitor Tools Window Help 

i l a d m ai I * I i! it a si s i 



elllBC2.11 z\\ -| j-|~-| 

| Channel | Enctyptlor Zui. Slgna Maw Signal 



f |fi|» -»| 



l^es Senl J Bjites Rece red ' etry Pack et; ets Sen] Packeii Rece ived 



] - MecgeaEiAO. . . j 
I ESS ID UnXnoran 
H BSSID Unknown 
Ethernet B. . . 
01:40:96: F. . . 
: 01:40:96:0... ; 



1,580,544 39,837,935 
39,628,971 1,767,602 



17,235 
29,261 



44,187 
43,599 




WLANs authenticate the wireless devices, not the users. Hackers can use this 
to their advantage by gaining access to a wireless client via remote-access 
software such as telnet or SSH or by exploiting a known application or OS vul- 
nerability. After they're able to do that, they potentially have full access to 
your network. 



Countermeasures 

The only way to detect rogue APs and hosts on your network is to monitor 
your WLAN proactively, looking for indicators that wireless clients or rogue 
APs might exist. But if rogue APs or clients don't show up in NetStumbler or 
in your client manager software, that doesn't mean you're off the hook. You 
may also need to break out the WLAN analyzer, wireless IDS, or other net- 
work management application. 

You can enable MAC-address filtering controls on your AP so that wireless 
clients must have an authorized MAC address before being allowed to con- 
nect. The problem with this countermeasure is that hackers can easily spoof 
MAC addresses in UNIX by using the i f conf i g command and in Windows 
with the SMAC utility, as I describe in Chapter 9. However like WEP, MAC- 
address-based access controls are another layer of protection and better 
than nothing at all. If a hacker spoofs one of your MAC addresses, the only 
way to detect malicious behavior is to spot the same MAC address being 
used in two or more places on the WLAN. 

You may be able to make a couple of configuration changes — depending on 
your AP — to keep hackers from carrying out these tests against you: 

I If possible, increase your wireless beacon broadcast interval to the max- 
imum setting, which is around 65,535 milliseconds (roughly 66 seconds). 
This can help hide the AP from hackers who are wardriving or walking 
by your building quickly. 



160 Part I": Network Hacking 




is* Disable probe responses to prevent your AP from responding to 
NetStumbler requests. 

^^sj^^^onal firewall software such as BlacklCE — my favorite — (bl acki ce . 
i ss . net) or ZoneAlarm (www . zonel abs .com) on all client computers to pre- 
vent unauthorized remote access to your network. 



Physical-security problems 

Various physical-security vulnerabilities can result in physical theft, the 
reconfiguration of wireless devices, and the capturing of confidential informa- 
tion. You should look for the following security vulnerabilities when testing 
your systems: 

APs mounted on the outside of a building and accessible to the public. 

Poorly mounted antennas — or the wrong types of antennas — that 
broadcast too strong a signal and that are accessible to the public. 
You can view the signal strength in NetStumbler or your wireless client 
manager. 

These issues are often overlooked due to rushed installations, improper plan- 
ning, and lack of technical knowledge, but they can come back to haunt you 
later. 

Cotmtermeasures 

Secure APs, antennas, and other equipment in secure closets, ceilings, or 
other places that are difficult for a would-be intruder to access physically. 
Terminate your APs outside any firewall or other network perimeter security 
devices — or at least in a DMZ — whenever possible. If you place the wireless 
equipment inside your secure network, it can negate any benefits you would 
get out of your perimeter security devices. 

If wireless signals are propagating outside your building where they don't 
belong, either 

Turn down the transmit power setting of your AP. 

V Use a smaller or different antenna (semidirectional or directional) to 
decrease the signal. 

Some basic planning helps prevent these vulnerabilities. 



Chapter 10: Wireless LANs 



Vulnerable Wireless Workstations 



pBocfc 



workstations have tons of security vulnerabilities — from weak 
tls to unpatched security holes to the storage of WEP keys locally. 
One serious vulnerability is for wireless clients using the Orinoco wireless 
card. The Orinoco Client Manager software stores encrypted WEP keys in the 
Windows Registry — even for multiple networks — as shown in Figure 10-8. 



Figure 10-8: 

Encrypted 
WEP key of 
a wireless 
card. 



f," Registry Editor 










BI-IE3 


Registry 


Edit View Favorites Hefe 
















H O Microsoft 




Name 


Type 


Data 








i-*' LJ Mirabilis 


.^(Default! 


REG_SZ 


(value not set) 








El LJ Mozilla 

S-Q moalla.org 

+ j MozillaPlugins 

0 LJ Network Associates 

EE £2 Network Ice 

H LJ Nico Mak Computing 

E LJ Northwest Performance 5oftware, Inc. 

E L_) Novel 

E LJ ODBC 




SSjAPMode 

^ConfigName 

530createI655 

£>>]DesiredSSID 

^Encryption 

jja] Micr o Waveftobustness 

*!.'] Mot. ■..!■:, i- I; Ad dress 

KojNetvjorkType 


REG_DWORD 

RECJSZ 

REG_DWORD 

REG_5Z 

REG_5Z 

REG_DWORD 

REG_SZ 

REGJ5WORD 


0x00000000 (0) 
Encrypted 

0x00000000 (0) 

G?TIUEA]dEMAdZv'dec]L-<@/F : , VF/(FR2)6 
0x00000000 (0) 

0x00000000 (0) 


^5* , *8*W6;+G6>,7NA,., 






S Q ORWOCO 

f"l Client Manager 
'■- B CJ Driver 


J 


SjJjOwnChannel 

S)Own5SID 

^PMEnabled 


REG_DW0RD 

REG_SZ 

REG_DWORD 


0x00000000 (0) 
0x00000000 (0) 








CJ ConfigOl 




|KS|PortType 


REGJWORD 


0x00000001 (1) 












SJ]RT5Threshold 


REG_DW0RD 


0x0000092b (2347) 








: LJ ConFig03 
CJ Config04 


J 


^jjjSysternScale 
StfjTCPIPBehavior 


PEG DWORD 
REG_DWORD 


0x00000001 (1) 
0x00000000 (0) 




My Computer\Hk'EV_LOCAL_MACHINE\50FTWARE\ORiNOCO\Driv 


r\Config02 







You can crack the key by using the Lucent Orinoco Registry Encryption/ 
Decryption program found at www . cqure . net/tool s . j s p ? i d=3. Make sure 
that you use the d command-line switch and put quotes around the encrypted 
key, as shown in Figure 10-9. This program comes in handy if you forget what 
your key is, but it can be used against you as well. 



Figure 10-9: 

Cracking a 
WEP key 
with Lucent 
Orinoco. 



ireless>lrc -d "G?TI UEA IdEMftdZU ' dec ]L-<0/F: , ' UF/<FR2 >6"E*' *8*U6 ; *GB>,7Nfl-' ZD - 
X&G.H2J/8>M0<JP0XUSlHbU29.V3>:\3YF_4IRb56" 
it Orinoco Registry Encryption/Decryption 
ion 8.3 

nders Inge born. iXsecurity 2081 < in ge bo rnP insecurity .coin) 
node by Don French, 2002 <f rench_doneyahoo.com> 
Input value = G?T IUEfi MEMAdZU' dec 1L-<P/F: , ' UF/CFR2>6"5*' *8*U6 ; +GB>,7Nfl-' ZD-X&G.H 
"J/8>M0<JP0XUSlHbU29.V3>:\3YF_4IRbE6 

ypted key is: wuwti" Cor 7799779922 in hex> 

J : \wire less >_ J 



If hackers remotely access a workstation via the Connect Network Registry in 
regedit, they can obtain these keys, crack them, and be on your network in a 

jiffy. 



Countermeasures 

You can implement the following countermeasures on your workstations to 
keep them from used as entry points into your WLAN. 



162 Part Network Hacking 



DropBoote 



V Regularly perform vulnerability assessments on your wireless worksta- 
tions, as well as your other network hosts. 



ly the latest vendor security patches and enforce strong user 
words. 



Use personal firewalls on these systems to keep malicious intruders off 
of those systems and out of your network. 

Install antivirus software. 

V Consider installing an antispyware application such as PestPatrol. 



Default configuration settings 

Similar to wireless workstations, wireless APs have many known vulnerabili- 
ties. The most common ones are default SSIDs and admin passwords. The 
more specific ones occur only on certain hardware and software versions 
that are posted in vulnerability databases and vendor Web sites. 

The one vulnerability that stands out above all others is that certain APs, 
including Linksys, D-Link, and more, are susceptible to a vulnerability that 
exposes any WEP key(s), MAC-address filters, and even the admin password! 
All that hackers have to do to exploit this is to send a broadcast packet on 
UDP port 27155 with a string of gstsearch. 

To test for this vulnerability, you can use a program called pong. This pro- 
gram sends the broadcast packet automatically and returns any information 
it discovers. To run pong, follow these steps: 

1. Download the program from www.mobi leaccess.de/wlan/dl .php/ 
pong_vl . 1 . zi p. 

2. Unzip the program to c : \wi rel ess (or a similar directory). 

3. Drop out to a DOS prompt, and enter pong. 

If pong returns no answer, as shown in Figure 10-10, you're safe. Otherwise, 
look out! 



Figure 10-10: 

The results 
you should 
get from 
pong. 



a 








C:\wire less\pong>pong -r 
ilLflN exploit pi'ogran Ul.l 
Binary gently provided bij http:/ 


mobileacces 


s.de/ 


: 


Z : \wire less\pong> 









Chapter 10: Wireless LANs 



Countermeasures 



pBocfe 



mplement some of the simplest and effective security countermea- 
WLANs — and they're all free: 



Make sure that you change default admin passwords, AP names, and 
SSIDs. 

f Disable SSID broadcasting if you don't need this feature. Figure 10-11 
shows the SSID setting for a Cisco Aironet AP. 

Disable SNMP if you're not using it. 

Apply the latest firmware patches for your APs and WLAN cards. This 
countermeasure helps to prevent various vulnerabilities, including the 
UDP broadcast exploit. If you find that it doesn't, consider using another 
vendor's wireless products. 



Figure 10-11: 

Cisco 
Aironet 
setting to 
disable 
SSID 
broadcasts. 



3 ap AP Radio Hardware - Microsoft Internet Enploi 



File Edit View Favorites Tools Help 

^ Back " -* - <Q £*| | ^Search ^Favorites ^fMedia ^ J | ' ^ ^ 0 



Address \&\ http://10.ll, 12. 201/SetHwPC4800,shm?ifIndex=2 



Co jjlc j 



~~\ (ft Search Web - GJseardiSfc £5 G* . (p I P J*™* 



i, (fe> r~E] : 



ap AP Radio Hardware 

Cisco AP340 11. 10T1 
Mm Hel p 

Service Set ID (SSID): |hackme 

Allow "Broadcast" SSID to Associate?: C yes S no 

Enable "World Mode" multi-domain operation?: I no H 

Data Rates (Mb /sec): 

1.0 IbasicJ 2.0 IbasicJ 5.5 IbasicJ 11.0 | besie^J 



Cisco Systems 



Uptime: 6 days, 1 1 :04:45 



Transmit Power: 

Frag. Threshold (256-2338): 

Max RTS Retries (1-128): 

Beacon Period (Kusec): 

Default Radio Channel: 

Search for less-congested Radio Channel?: 



30mW_J 



RTS Threshold (0-2339): £339 
Max. DataRetnes (1-128): [55 



100 Data Beacon Rate (DUM): |2 
1 [241 2 MHz] j] In Use: 1 



Receive Antenna: | Diversity _J 
Radio Data Encryption QWEP) 



no zi Restrict Searched Channels 
Transmit Antenna: | Diversity 



| Apply | OK | Cancel | Restore Defaults 



40 Internet 



Part III: Network Hacking 



DropBooks 



DropBooks 



In this part . . . 

]\Jow that you're past the network level, it's time to 
# w get down to the nitty-gritty — those fun operating 
systems you use on a daily basis and have come to both 
love and hate. There's definitely not enough room in this 
book to cover every operating system version or even 
every operating system vulnerability, but I certainly hit 
the important parts — especially the ones that aren't 
easily fixed with patches. 

This part starts out by looking at the most widely used 
(and picked on) operating system — Microsoft Windows. 
From Windows NT to Windows Server 2003, 1 show you 
some of the best ways to attack and secure these operat- 
ing systems from the bad guys. This part then takes a look 
at Linux and its less publicized yet still major security 
flaws. Many of the hacks and countermeasures I cover can 
apply to many other flavors of UNIX as well. This part then 
moves on to the tried-and-true Novell NetWare operating 
system — perhaps the most secure in this lineup but still 
not vulnerability-free as many Novell die-hards like to 
believe. I cover the major issues along with solid counter- 
measures you can implement to keep your mighty Novell 
boxes secure and still mostly reboot-free. 



Chapter 11 

Windows 

In This Chapter 

Port scanning a Windows server 

Gleaning Windows information without logging in 

Exploiting common vulnerabilities when logged into Windows 

Minimizing Windows security risks 



rhe Microsoft Windows OS family (with such versions as NT, 2000, XP, and 
Server 2003) is the most widely used OS in the world. It's also the most 
widely hacked. Is this because Microsoft doesn't care as much about security 
as other OS vendors? The short answer is no. Sure, numerous security flaws 
were overlooked — especially in the Windows NT days — but because 
Microsoft products are so pervasive throughout networks, Microsoft is the 
easiest vendor to pick on, and often it's Microsoft products that end up in the 
crosshairs of hackers. This is the same reason that you see so many vulnera- 
bility alerts on Microsoft products. The one positive about hackers is that 
they're driving the requirement for better security! 



DropBooks 



Many security flaws in the headlines aren't new. They're variants of vulnera- 
bilities that have been around for a long time in UNIX and Linux, such as the 
RPC vulnerabilities that the Blaster worm used. You've heard the saying "the 
more things change, the more they stay the same." That applies here, too. 
Most Windows attacks are prevented if the patches were properly applied. 
Thus, poor security management is often the real reason Windows attacks 
are successful, yet Microsoft takes the blame and must carry the burden. 

In addition to the password attacks I cover in Chapter 7 and some of the mal- 
ware attacks I cover in Chapter 14, many other attacks are possible against a 
Windows-based system. Tons of information can be gleaned from Windows 
by simply connecting to the system across a network and using tools to pull 
the information out. Many of these tests don't even require you to be authen- 
ticated to the remote system. All hackers need is a Windows computer with a 
default configuration that's not protected by such measures as a firewall. 



Part IV: Operating System Hacking 



now man' 
techniaui 



When you start poking around on your network, you may be surprised at 
how many of your Windows-based computers have security vulnerabilities. 

connect to a Windows system and have a valid user name and pass- 
either knowing it or deriving it from using the password cracking 
techniques in Chapter 7), you can test other aspects of Windows security 



This chapter shows you how to test for some of the most critical attacks 
against the Windows OS family and outlines countermeasures to make sure 
your systems are secure. 



Windows Vulnerabilities 

Given the general ease of use of Windows, its enterprise-ready Active 
Directory service, and the feature-rich .NET development platform, many 
organizations have moved to the Microsoft platform for their networking 
needs. Many businesses — especially the small to medium-sized ones — 
depend solely on the Windows OS for network usage. Many large organiza- 
tions run critical servers such as Web servers and database servers on the 
Windows platform. If security vulnerabilities aren't addressed and managed 
properly, they can bring a network or an entire organization to its knees. 

When Windows and other Microsoft software are attacked — especially by a 
widespread Internet-based worm or virus — hundreds of thousands of orga- 
nizations and millions of computers are affected. Many well-known attacks 
against Windows can lead to 

V Leakage of confidential information, including files being copied and 
credit card numbers being stolen 

*** Passwords being cracked and used to carry out other attacks 

Systems taken completely offline by DoS attacks 

Entire databases being corrupted or deleted 




When insecure Windows-based systems are attacked, serious things can 
happen to a tremendous amount of computers around the world. 



Choosing Toots 

Thousands of Windows hacking and testing tools are available. The key is to 
find a set of tools that can do what you need and that you're comfortable 
using. 



Chapter 11: Windows 




Many security tools — including some of the tools in this chapter — aren't 
designed for Windows Server 2003 and newer operating systems but work 

However, the program documentation sometimes isn't updated to 
; compatibility. The most recent version of each tool in this chapter 
is compatible with Windows NT, 2000, and Server 2003. 



aesignea ic 
^ilh/t|wm. 



The more security tools and other power user applications you install in 
Windows — especially programs that tie into the network drivers and TCP/IP 
stack — the more unstable Windows becomes. I'm talking about slow perfor- 
mance, blue screens of death, and general instability issues. Unfortunately, 
often the only fix is to reinstall Windows and all your applications. I've had to 
rebuild my system once during the writing of this book and a total of three 
times in the past year. Ah, the memories of those DOS and Windows 3.x days 
when things were much simpler! 



Essential toots 



Every Windows security tester needs these special tools: 



^\ ? _ & v 0 Nmap (www . i nsecure . org) for UDP and other types of port scanning 
Nmap is an excellent tool for OS fingerprinting. 

Vision (www . f oundstone . com) for mapping applications to TCP/UDP 
ports 



Free Microsoft toots 

You can use the following Windows programs and free security tools that 
Microsoft provides to test your systems for various security weaknesses. 

Built-in Windows programs (Windows 9x and later versions) for NetBIOS 
and TCP/UDP service enumeration: 

• nbtstat for gathering NetBIOS name table information 

• netstat for displaying open ports on the local Windows system 

• net for running various network based commands including view- 
ing of shares on remote Windows systems 

Microsoft Baseline Security Analyzer www .mi crosoft . com/technet/ 
secur ity /tool s/mbsa home, asp for testing for missing patches and 
basic Windows security settings. 



Part IV: Operating System Hacking 




f Windows Resource Kits (including some tools that are free for download 
at www .mi crosoft .com) for security and OS management. 

can get specific details about Resource Kit books published by 
osoft Press at www .mi crosoft .com/1 earni ng. 




Att-in-one assessment toots 

The following tools perform a wide variety of security tests including 

V Port scanning 

OS fingerprinting 

Basic password cracking 

f* Detailed vulnerability mappings of the various security weaknesses the 
tools find on your Windows systems 

I recommend any of these comprehensive sets of tools: 

i>* LANguard Network Security Scanner (www . gf i .com) 
QualysGuard (www . qualys . com) 

QualysGuard has very detailed and accurate vulnerability testing. 
v 0 Nessus (www . nessus . org) 



Task-specific toots 



The following tools perform one or two specific tasks. These tools provide 
detailed security assessments of your Windows systems and insight that you 
may not otherwise get from all-in-one assessment tools: 



V SuperScan (www . f oundstone . com) for TCP port scanning and ping 
sweeps. 

A tool for enumerating Windows security settings. Given the enhanced 
security of Windows Server 2003, these tools can't connect and enumer- 
ate a default install of Windows Server 2003 system like a Windows 2000 
or NT system — but you can use these tools nonetheless. It's a good 
idea to test for vulnerable "non-default" configurations in case the 
secure default settings have been changed. 

To gather such information as security policies, local user accounts, and 
shares, your decision may be based on your preferred interface: 



Chapter 11: Windows 



DropBooks 




Winfo (www . ntsecuri ty . nu/tool box/wi nf o) runs from the 
Windows command line. 

DumpSec (www . soma rsof t . com) runs from a graphical Windows 
interface. 

• Walksam (razor. bindview.com/tools/files/rpctools-1.0. 
z i p) runs from the Windows command line. 

If you're scanning a network only for Windows shares, consider Legion 

(packetstormsecurity.nl/groups/rhino9/leg ionv21.zip). 

V Rpcdump (razor.bindview.com/tools/files/rpctools-l.O.zip) 
for enumerating RPC ports to search for running applications. 

Network Users (www . opt imumx. com/down load/netusers. zip) for 
gathering Windows login information. 



Information Gathering 




When you assess Windows vulnerabilities, start by scanning your computers 
to see what the bad guys can see. 

The hacks in this chapter are against the versions of the Windows Server OS 
(NT, 2000, and Server 2003) from inside a firewall. Unless I point out otherwise, 
all the tests in this chapter can be run against all versions of the Windows 
server OS. The attacks in this chapter are significant enough to warrant test- 
ing for regardless of your current setup. Your results may vary from mine 
depending on these factors: 

V OS versions 

f* Security measures, such as patch levels and access controls (such as 
firewall policies and local Windows security policies) 



System scanning 

A few straightforward processes can identify weaknesses. Other steps can 
minimize your vulnerability. 

Testing 

Start gathering information about your Windows systems by running an ini- 
tial port scan: 



Part IV: Operating System Hacking 



DBooks 



1. Run basic scans to find which ports are open on each Windows system: 

Scan for TCP ports with a port scanning tool, such as SuperScan or 
Nmap. 



Scan for UDP ports with a port scanning tool, such as Nmap. 



Perform OS enumeration (such as scanning for shares and specific OS 
versions) by using an all-in-one assessment tool, such as LANguard 
Network Security Scanner. 

Scan your Windows systems for open ports that could point to poten- 
tial security vulnerabilities. 

The tool you use depends on whether you need a basic summary of vul- 
nerable ports or a comprehensive system report: 

• If you need a basic summary of open ports, scan your Windows 
systems with SuperScan. 

The SuperScan results in Figure 11-1 show several potentially vul- 
nerable ports open on a Windows Server 2003 system, including 
those for SMTP (port 25), a Web server (port 80), RPC (port 135), 
and the ever popular — and easily hacked — NetBIOS (ports 139 
and 445). 



Figure 11-1: 

Scanning a 
Windows 
Server 2003 
system with 
SuperScan. 









Hostname Lookup 




Configuration 


ll 


Lookup 


Port list setup | 




Resolved | 


Me | Interlaces | 



Start|l0 11.12.200 -^j 
Stop|l0.11. 12.200 

PrevC| Nextc| 1. 254 | 



fv Ignore IP zero 
W Ignore IP 255 
I - Extract from file 



Ping 
[400 

Connect 
1 2000 

Read 



Scan type 

W Resolve hostnames 
W Only scan responsive pings 
fv Show host responses 
f* Ping only 
f Every port in list 
(• All selected ports in 
f* All list ports from 
All ports from 




Scan- 


I 0 


110.11.12200 


l~5" 




1 EB 


110.11.12200 


nr 




1 EB 


flatl.12.200 


' l~5" 


*R 


Slop 





Speed 

Max 



bV 10.11.12.200 wimt 

B o 21 File Transfer Protocol [Control) 

ID 220 winnt Microsoft FTP Service (Version 2.0)... 
- a 90 WorldWideWebHTTP 

QD HTTP/1.0 200 OK-Server: Miciosoft-IIS/Z0..Date: Thu. C 
i 1 39 NETBIOS Session Service 



Active host s 
□ pen ports 
Save I 



Collapse all | 
Expand all | 
t | Prune | 



• If you need a comprehensive system report, scan your Windows 
systems with LANguard Network Security Scanner. 

In Figure 11-2, LANguard shows the server version (identified as 
Windows XP initially and then later as Windows 2003), the system's 
current date and time setting and system uptime, and the server's 
domain (PL). 



Chapter 11: Windows 




Figure 11-2: 

Gathering 
system 
details with 
LANguard 
Network 
Security 
Scanner. 



* GFI LANguard Network Security Scanner v(3.2) 



File Edit View Scan Patches Tools LANguard Tray Help 



I0S names (10) 
WINNT - Workstation Service 
INet~Services ■ IIS 
IS~WINNT - Workstation Service 
WINNT - File Server Service 
WINNTGROUP- Domain Name 
WINNT -Messenger Service 
WINNTGROUP • Browser Service Elections 
WINNTGROUP - Master Browser 
||_MSBROWSE_| - Master Browser 
_ ADMINISTRATOR - Messenger Service 
g Username : ADMINISTRATOR 
9£ MAC: 00-1 1 -22-33-44-55 

0 Time to live (TTL) : 128 (128) - Same network segment 
er Address mask; 255.255.255.0 
Of LAN Manager : NT LAN Manager 4.0 
0 Domain: WINNTGROUP 
- £ TCP Ports (4) 

a ■ tfP 21 [ Ftp -> File Transfer Protocol ] 

B & 80 [ Http => World Wide Web, HTTP ] Microsoft-IIS/2.0 

• 1 35 [ epmap => DCE endpoint resolution ] 

O 1 39 [ Netbios-ssn => NETBIOS Session Service ] 
■-. fij UDP Ports (31 

o 1 35 [ epmap -> DCE endpoint resolution ] 
o 1 37 [ Netbtcc-NS =: Netbios Name Service i 

• 138 [ Netbios-DGM => Netbios Datagram Service ] 



You can run Nmap with the 0 option to confirm the OS characteris- 
tics — the version information referred to as the OS fingerprint — 
that you found with your scanning tool, as shown in Figure 1 1-3. 

A hacker can use this information to determine potential vulnerabilities 
for your system. Make sure you've applied the latest patches and system 
hardening best practices. 

In Figure 1 1-3, Nmap reports the OS version as Windows .NET Enterprise 
Server — the original name of Windows Server 2003. 



Figure 11-3: 

Using Nmap 
to determine 
the 
Windows 
version. 



:.: : \: 



iap>nmap 10.11.12.199 -O 

< http : //\i\m. : 



'ting nnap 3 
idard Time 

;resting ports on uin2k3 C10.ll .12 .199> : 
(The 1652 ports scanned but not shown below are 
PORT STATE SERUICE 

13 5 /t cp open msrpc 
139/tcp open netbios-ssn 
445 /tcp open microsof t-ds 
1025/tcp open NFS-or-IIS 
1026/tcp open LSfl-or- nterm 
Device type: general purpose 
Running: Microsoft Uindous 2003/ . NET 
|0S details: Microsoft Windows .NET Enterprise S. 



org/nnap > at 2004-01-01 15:11 East 
state : closed> 



'(map run i 
|C:\nnap>_ 



npleted — 1 IP address <1 hos 



< build 3604-3790> 
d in 9.223 seconds 



i 



Countermeasures 

You can prevent a hacker from gathering certain information about your 
Windows systems by implementing the proper security settings on your net- 
work and on the Windows hosts themselves. 



Part IV: Operating System Hacking 



_^ it wu doi 

pBooks 



Information 

If you don't want anyone gathering information about your Windows systems, 
two options: 



v* Protect Windows with either of these countermeasures: 

• A firewall that blocks the Windows-specific ports for RPC (port 
135) and NetBIOS (ports 137-139 and 445) 

• An intrusion prevention system, such as the host-based BlacklCE 
software 

v* Disable unnecessary services so that they don't appear when a connec- 
tion is made 



Fingerprinting 

You can prevent OS fingerprinting tests by either 

IV Using a host-based intrusion prevention system 
v* Denying all inbound traffic with a firewall — this just may not be practi- 
cal for your needs 



NetBIOS 



You can gather Windows information by poking around with NetBIOS 
(Network Basic Input/Output System) functions and programs. NetBIOS 
allows applications to make networking calls and communicate with other 
hosts within a LAN. 

These Windows NetBIOS ports can be compromised if they're not properly 
secured: 



v* UDP ports for network browsing: 

• Port 137 (NetBIOS name services) 

• Port 138 (NetBIOS datagram services) 
v* TCP ports for Server Message Block (SMB): 

• Port 139 (NetBIOS session services) 

• Port 445 (runs SMB over TCP/IP without NetBIOS) 
Windows NT doesn't support port 445. 



Chapter 11: Windows 



■-^ The follow 

ipbOOKS 



Hacks 

following hacks can be carried out on unprotected systems running 



Unauthenticated enumeration 

When you're performing your unauthenticated tests, you can gather configu- 
ration information about the local or remote systems with either 

All-in-one assessment tools, such as LANguard Network Security 
Scanner. 

t<" The nbtstat program that's built into Windows (nbtstat stands for NetBIOS 
over TCP/IP Statistics). Figure 11-4 shows information that you can gather 
from a Windows Server 2003 system with a simple nbtstat query. 



Figure 11-4: 

Using 
nbtstat to 
gather 
critical 
Windows 
information. 



indous>nbtstat -A 18.11.12.200 
d: 

It-Address: [10.11.12.202] Scope Id: U 
NetBIOS Demote Machine Nane Table 



J 



UINNT 

INet~Seruices 

IS~YJINNT 

UINNT 

MI NNTGHOUP 
UINNT 

LJINNTGROUP 
UINNT GROUP 

J1SBROUSE 

ADMINISTRATOR 



<00> UNIQUE 



<03> 
<1E> 
<1D> 
<01> 
<03> 



UNIQUE 
GROUP 
UNIQUE 
GROUP 
UNIQUE 



Registered 

Registered 



MAC Address - 001 1-2 2 -33-44-5 E 



|C:\windous>_ 



nbtstat shows the remote computer's NetBIOS name table, which you gather 
by using the nbtstat -A command. This displays the following information: 

V Computer name 
Domain name 
Computer's MAC address 

You may even be able to glean the ID of the currently logged user from a 
Windows NT or Windows 2000 server. 



A GUI utility such as LANguard Network Security Scanner isn't necessary to 
gather this basic information from a Windows system. The graphical interface 
offered by commercial software such as this just presents its findings in a 
prettier fashion! 



Part IV: Operating System Hacking 



Wuidows 1 

DBocfe 



Shares 

Windows uses network shares to share out certain folders or drives on the 
other users can access them across the network. Shares are easy 
and work very well. However, they're often misconfigured, allowing 
hackers and other unauthorized users to access information they shouldn't 
be able to get to. You can search for Windows network shares by using the 
Legion tool. This tool scans an entire range of IP addresses looking for 
Windows shares. It uses the SMB protocol (TCP port 139) to discover these 
shares and displays them in a nice graphical fashion sorted by IP address, as 
shown in Figure 1 1-5. 



Figure 11-5: 

Using 
Legion to 
scan your 
network for 
Windows 
shares. 



File Help 

-Scan Type 

Scan Range 
C Scan List 

4 shales lound on 2 lemole hosts 



LEGION v2. 1 



Entei Stall IP ptT p 
Entei End IP p0~ |TT~ p?~~ pOT; 

WI011.121S9\Custt)meis 
W10.11 12.199\RH> 
W10.11 12.200\Finance 
\VI0.11.12.200\HR 



The shares displayed in Figure 11-5 are just what hackers are looking for — 
especially because the share names give hackers a hint at what type of files 
might be available if they connect to the shares. After hackers discover these 
shares, they're likely to dig a little further to see if they can browse the files 
and more within the shares. I cover shares in more detail in the "Share 
Permissions" section, later in this chapter. 

Countermeasures 

You can implement the following security countermeasures to minimize 
NetBIOS attacks on your Windows systems. 

Limit traffic 

You can protect your Windows systems from NetBIOS attacks by using some 
basic network infrastructure protection systems as well as some general 
Windows security best practices: 



Chapter 11: Windows 





v 0 If possible, the best way to protect Windows-based systems from NetBIOS 
attacks is to put them behind a firewall. 

ewall isn't always effective. If the attack comes from inside the net- 
a network-perimeter-based firewall won't help. 

If a perimeter-based firewall won't suffice, you can protect your 
Windows hosts by either 

• Installing a personal firewall such as BlacklCE 

This is the simplest and most secure method of protecting a 
Windows system from NetBIOS attacks. 

• Disabling NetBIOS on your systems. 

This often requires disabling Windows file and printer sharing — which 
may not be practical in a network mixed with Windows 2000, NT, and even 
Windows 9x systems that rely on NetBIOS for file and printer sharing. 

Hidden shares — those with a dollar sign ($) appended to the end of the 
share name — don't really help hide the share name. Hackers found out long 
ago that they can easily get around this form of security by obscurity by 
using the right methods and tools. 

Passwords 

If NetBIOS network shares are necessary, make strong passwords mandatory 




With the proper tools, hackers can easily crack NetBIOS passwords across 
the network. NetBIOS passwords aren't case sensitive, so they can be cracked 
more easily than case sensitive passwords that require both capital and small 
letters. Chapter 7 explains password security in detail. 



RPC 




Windows uses remote procedure call (RPC) and DCE internal protocols to 

u* Communicate with applications and other OSs. 
i>* Execute code remotely over a network. 

RPC in Windows uses TCP port 135. 

RPC exploits can be carried out against a Windows host — perhaps the best- 
known being the Blaster worm that reared its ugly head after a flaw was found 
in the Windows RPC implementation. 



Part IV: Operating System Hacking 



Enumeration 



use RPC enumeration programs to see what's running on the host, 
information, hackers can then penetrate the system further. 

Rpcdump is my favorite tool for enumerating RPC on Windows systems. Figure 
1 1-6 shows the abbreviated output of Rpcdump run against a Windows 2000 
server. Rpcdump found the RPC listeners for MS SQL Server and even a DHCP 
server running on this host — and this is a hardened Windows 2000 server 
with all the latest patches running BlacklCE intrusion prevention software! 



Figure 11-6: 

Rpcdump 
shows RPC- 
based 



linding: ncalrpc : ELRPC00000724. 00000061 J 

[fid: 3F99b900-4d87-101b-99b7-aa000400?f07 uei 
Annotation: MS SQL Server 

JUID: 00000000-0000-0000-0000-000000000000 
pinding: ncacn_np:\\\\UI N2K[\\pipe\\00000724 .1 

If Id: 3f99b900-4d87-101b-99b7-aa0004007f07 oei 
Annotation: MS SQL Server 

JUID: 00000000-0000-0000-0000-000000000000 
ling: ncacn_ip_tcp:10.11 .12 .2 110271 

^:\uindous\rpctools> 



Countermeasures 



The appropriate step to prevent RPC enumeration depends on whether your 
system has network-based applications, such as Microsoft SQL and Microsoft 
Outlook: 



JUNG/ 



4? 



/>* Without network-based applications, the best countermeasure is a fire- 
wall that blocks access to RPC services (TCP port 135). 

This firewall may disable network-based applications. 

If you have network-based applications, one of these options can reduce 
the risk of RPC enumeration: 

• If highly critical systems such as Web or database servers need 
access only from trusted systems, give only trusted systems 
access to TCP port 135. 

• If your critical systems must be made accessible to the public, 
make sure your RPC-based applications are patched and config- 
ured to run as securely as possible. 

Don't try to disable the RPC server within Windows with such "fixes" as 
Registry hacks. You may end up with a Windows server or applications that 
stop working on the network, forcing you to reinstall and reconfigure the 
system. 



Chapter 11: Windows 



Nutt Sessions 



DropBoote 

( null sessk 



wn vulnerability within Windows can map an anonymous connection 
(null session) to a hidden share called IPC$ (interprocess communication). This 
attack method can be used to 

V Gather Windows host configuration information, such as user IDs and 
share names. 

f" Edit parts of the remote computer's Registry. 



Hacks 

Although Windows Server 2003 doesn't allow null session connections by 
default, Windows 2000 Server and NT Server do — and plenty of those sys- 
tems are still around to cause problems on most networks. 

Windows Server 2003 and Windows XP at the desktop are much more secure 
out of the box than their predecessors. Keep this in mind when it comes time 
to upgrade your systems. 

Mapping 

To map a null session, follow these steps for each Windows computer to 
which you want to map a null session: 

1. Format the basic net command, like this: 

net use \\host_name_or_IP_address\i pc$ /user:" 

The net command to map null sessions requires these parameters: 

• net (the built-in Windows network command) followed by the use 
command 

• IP address of the system to which you want to map a null 
connection 




• A blank password and username 
The blanks are why it's called a null connection. 
2. Press Enter to make the connection. 



Figure 1 1-7 shows an example of the complete command when mapping 
a null session. After you map the null session, you should see the mes- 

sageThe command completed successfully. 




Part IV: Operating System Hacking 



Figure 11-7: 

lac 




session to a 
Windows 
2000 server. 



ill be remembered. 
1 Remote 



\\18.11.12.199\ipc$ 
Wia.ll.l2.200\ipc$ 
ind completed successfully. 




To confirm that the sessions are mapped, enter this command at the com- 
mand prompt: 



As shown in Figure 11-7, you should see the mappings to the IPC$ share on 
each computer to which you're connected. 

Gleaning information 

With a null session connection, you can use other utilities to remotely 
gather critical Windows information. Dozens of tools can gather this type 
of information. 

You — like a hacker — can take the output of these enumeration programs 
and attempt (as an unauthorized user) to try such gleaning of information as 

If* Cracking the passwords of the users found. (See Chapter 7 for more on 
password cracking.) 
Mapping drives to the network shares. 

You can use the following applications for system enumeration against server 
versions of Windows prior to Server 2003. 




Windows Server 2003 is much more secure than its predecessors against 
such system enumeration vulnerabilities as null session attacks. If the server 
is in its default configuration, it should be secure; however, you should per- 
form these tests against your Windows Server 2003 systems to be sure. 



net (/ieu/ 

The net vi ew command shows shares that the Windows host has available. 
You can use the output of this program to see information that the server is 
advertising to the world and what can be done with it, such as: 



Chapter 11: Windows 



pBocte 



Share information that a hacker can use to attack your systems, such as 
mapping drives and cracking share passwords. 



e permissions that may need to be removed, such as the permission 
he Everyone group to at least see the share on Windows NT and 
2000 systems. 



To run net view, enter the following at a command prompt: 

net view 
Figure 1 1-8 shows an example. 



Figure 11-8: 

net view 
displays 
drive shares 
on a remote 
Windows 
host. 



isarrr 


Prompt 


BI-IE3 


C:\windows >net uiew WiB.il . 12 .200 
Shared resources at W10.il . 12 .200 

Share name Type Used as Comment 




• 


Finance Disk 
1ere2Bhacked Disk 
III Disk 
InetFub Disk 
rEMP Disk 

Che command completed successfully. 
|C:\wifidows> 





Configuration and user information 

Winfo and DumpSec can gather useful information about users and configura- 
tion, such as 

Windows domain to which the system belongs 
Security policy settings 
Local usernames 
Drive shares 

Your preference may depend on whether you like graphical interfaces or a 
command line: 




i>* Winfo (www .ntsecurity.nu/toolbox/winfo)isa command-line tool. 

Because Winfo is a command-line tool, you can create batch (script) files 
that automate the enumeration process. The following is an abbreviated 
version of Winfo's output of a Windows NT server, but you can glean the 
same information from a Windows 2000 server: 



Winfo 2.0 - copyright (c) 1999-2003, Arne Vidstron 
- http://www.ntsecurity.nu/toolbox/winfo/ 
SYSTEM INFORMATION: 



Part IV: Operating System Hacking 



PAS 

pBooks 



OS version: 4.0 
PASSWORD POLICY: 

Time between end of logon time and forced logoff: No forced logoff 
Maximum password age: 42 days 
Minimum password age: 0 days 

- Password history length: 0 passwords 

- Minimum password length: 0 characters 
USER ACCOUNTS: 

* Administrator 

(This account is the built-in administrator account) 

* doctorx 

* Guest 

(This account is the built-in guest account) 

* IUSR_WINNT 

* kbeaver 

* nikki 
SHARES: 

* ADMINS 

- Type: Special share reserved for IPC or administrative share 

* I PC$ 

- Type: Unknown 

* HereZBhacked 

- Type: Disk drive 

* C$ 

- Type: Special share reserved for IPC or administrative share 

* Finance 

- Type: Disk drive 

* HR 

- Type: Disk drive 



This information cannot be gleaned from Windows Server 2003 by 
default. 

V DumpSec produces Windows configuration and user information in a 
graphical interface. Figure 11-9 shows the local user accounts on a 
remote system. 

DumpSec can save reports as delimited files that can be imported into 
another application (such as a spreadsheet) when you create your final 
reports. You can peruse the information for user IDs that don't belong 
on your system, such as 

• Ex-employee accounts 

• Potential backdoor accounts that a hacker may have created 

If hackers get this information, they can attempt to exploit potential 
weak passwords and log in as those users. 



Chapter 11: Windows 



Figure 11-9: 



users on i 



users on a 
server. 



File Edit 5earch 


Report View Help 










UstHame 


Groups 


PswdUanBeChan 


je^PsiidReqy^-e^PswdEx 


ires LastLoqo 


Tine 




Administrators 


No 


Vps No 


1/1/2001* 


2:12 KM 




| Users 
* Guests 


No 
No 


Ves No 
Ves No 


1/1/2 004 
Neuer 


2:12 ill I 


IUSR WINNT 

kbeauer 

nikki 


Guests 
Users 
Users 


No 
Yes 
Yes 


Ves No 
Ves Ves 
Ves Ves 


1/1/2004 
1/1/2004 
1/1/20OU 


4:53 PN 
7:06 PM 
7:09 Ptl 


Found 6 users 










lOoorji ^ 



Walksam 

Walksam gleans information about Windows users by walking the SAM data- 
base through an established null session. Figure 11-10 is an example of its 
output. This output is obviously similar to the DumpSec output, but the main 
difference here is that this attack can be scripted to somewhat automate the 
process. 



Figure 11-10: 

User 
information 
gathered 






C:\uindows\rpctoolsXialksam \\10. 11 . 12 .200 

i'id 500: user Administrator 

Jserid: Administrator 

Full Name: 

Jone Dir: 

lone Drive: 

1. oynn Script : 

Profile: 

Description: Built-in account for administering the computer/domain 
Workstations : 
Profile: 
Jser Comment: 

Last Logon: 1/8/2004 12:51:52.734 
Last Logoff: 1/1/2004 7:11:55.140 
Last Passud Change: 1/1/2004 21:58:45.343 


±1 


with 
Walksam. 


llloued Passud Change: never 
Rid: SHU 

Primary Group Rid: 513 
Flags: 0x210 

Fields Present: 0xffffff 
Bad Password Count: 0 
•lum Logons: 8 








zi 




NetWork Users 











Network Users (www . opti mumx . com/downl oad/netusers .zip) can show 
who has logged into a remote Windows computer. You can see such informa- 
tion as 

v 0 Abused account privileges 

Users currently logged into the system 

Figure 1 1-1 1 shows the history of local logins of a remote Windows 2000 
workstation. 



Figure 11-11: 

The 
Network 
Users tool. 





[° DOS Prompt 




m-iQ 


C:Suindou 


s>netusers /h SMB. 11 . 12 .202 






*! 


listory o 


f users logged on locally at 10.11.12.202: 


Last Logon 






PClvkbeau 
PClSfldmin 


er kbeaoer 


2004/01/08 
2003/12/07 


08:57 
16:47 




[he comma 
jC:\uindou 


nd completed successfully. 

s> 






- 



Part IV: Operating System Hacking 



purposes. 

pBodte 

as backup 



This information can help you track who's logging into a system for auditing 
purposes. Unfortunately, this information can be useful for hackers when 
ying to figure out what user IDs are available to crack. They may 
rmine the system's daily use if the user IDs are descriptive, such 
as backup (for a backup server) or devuser (for a development server). 



Countermeasures 

You can easily prevent null session connection hacks by implementing one or 
more of the following security measures. 



Secure Versions 

If it makes good business sense and the timing is right, upgrade to the more 
secure Windows Server 2003. It doesn't have these vulnerabilities by default. 



Blocking NetBIOS 

It's absolutely critical that you block NetBIOS on systems that don't need to 
advertise to the world that it's running and available to be hacked. 




i>* Block NetBIOS on your Windows server by preventing these TCP ports 
from passing through your network firewall or personal firewall: 

• 139 (NetBIOS sessions services) 

• 445 (runs SMB over TCP/IP without NetBIOS) 

Windows NT doesn't support port 445. 

Although Windows Server 2003 does not have the same null session vul- 
nerability by default as older versions of Windows server operating sys- 
tems, it's still a good idea to block NetBIOS ports on these systems. 

V Disable File and Print Sharing for Microsoft Networks in the Properties 
tab of the machine's network connection. 



Registry 

For Windows NT and 2000, you can eliminate this vulnerability by changing 
the Windows Registry. Depending on the Windows version, you can select 
one of these security settings: 

None: This is the default setting. 

I *<" Rely on Default Permissions (Setting 0): This setting allows the default 
null session connections. 



Chapter 11: Windows 



pBoo 



-JftNG/ 



i>* Do Not Allow Enumeration of SAM Accounts and Shares (Setting 1): 

This is the medium security level setting. This setting still allows null 
ions to be mapped to IPC$, enabling tools such as Walksam to be 
to glean information from the system. 

No Access without Explicit Anonymous Permissions (Setting 2): This 
high security setting prevents null session connections and system 
enumeration. 

The high security setting has a few drawbacks: 

• High security creates problems for domain controller communica- 
tion and network browsing. 

• The high security setting isn't available in Windows NT. 

Microsoft Knowledge Base Article 246261 covers the caveats of using the 
high security setting for Restrict Anonymous. It's available on the Web at 

support. m i croso ft. c om /default. a spx?scid = KB; en -us; 246261. 



Windows 2000 

In Windows 2000, you don't have to edit the Registry. You can set local security 
policy in the Local Policies/Security Options of the Local Security Settings. The 
security setting is called Additional Restrictions for Anonymous Connections. 
This setting is referred to as RestrictAnonymous, as shown in Figure 11-12. 



Figure 11-12: 

Local 
security 
policy 
settings in 
Windows 
2000 to 
prevent null 
sessions. 



Tree | 



,hJ) Security Settings 
S CM Account Policies 
E C9 Local Policies 
it: Audit Policy 

> User Rights Assignment 

> Security Options 
♦ f_] Public Key Policies 

S ^ IP Security Policies on Local 



J 2J 



Policy 



| Local Setting 



Do not -Ay/: enamei-ation or 5AM ai 
Mot defined 



Ho] Additional restrictions for anonymous cc 
l"jJ]Allow server operators to schedule tasks... 
| Allow system to be 
J Alio wed to eject re 

jjjgAmount of idle time jj Additional restrictions for anonymous connection; 
jAudit the access of 
IfisO Audit use of Backup 

^Automatically log of Effective policy setting: 

|Clear virtual memor 1 |do 
_ J Digitally sign client c 
IflSyDigitally sign client c l oc , 
.So] Digit-all::- sign server 
| Digitally sign server 
|Disable CTRL+ALT+ 
I Do not display last i 
_ JLAN Manager Authe 
^Message text for us 
Imf] Message title for us 
i^Nurnber of previous 

| Prevent system maintenance or compute , . , Disabled 
_ JPrevent users from installing printer drivers Enabled 
|SK]PrGmpt user to change password before ... 5 days 
§s)R.ecovery Console: Allow automatic admi.,. Disabled 
Recovery Console: Allow floppy copy an,., Disabled 
iiSlPename administrator account Not defined 

3 



:s and shares Do nc 



KB 



If domain-level potcy settings are defined, they ovetiide local policy settings. 



Not define! 

Disabled 

Admimstia! 

15 minutes 

Disabled 

Disabled 

Enabled 

Enabled 

Disabled 

Enabled 

Disabled 

Disabled 

Disabled 

Enabled 

Send LM&. 

WARNING! 
10 logons 
Disabled 
Enabled 

Disabled 
Disabled 
Not define! H 



Part IV: Operating System Hacking 



tor wind- 

d Books 



Windows NT 

Fojt Windows NT, follow these steps to change the Registry to disable null 



1. Run either of the following Registry editing programs in Windows: 

• regedi t . exe 

• regedt32 . exe 

2. Make a backup copy of the Registry. 

• If you're using regedit, select Registry/Export Registry File. 

• If you're using regedt32, select Registry/Save Key 

3. Browse to the key HKEY_LOCAL_MACHINE\SYSTEM\ 
CurrentControlSet\Control\LSA. 

4. Right-click in the right window and select New/DWORD Value. 

5. Enter RestrictAnonymous as the name. 

6. Double-click the RestrictAnonymous key and enter 1 as the value. 

7. Exit the Registry editor (regedit or regedt32). 

8. Reboot the computer. 

The new setting takes effect after the system is rebooted. 



Share Permissions 



Windows shares — the available network drives that show up when browsing 
the network in Network Neighborhood or My Network Places — are often mis- 
configured, allowing more people to have access to them than they should. 
This is a security vulnerability that can be exploited by the casual browser, 
but the implications of a hacker gaining unauthorized access to a Windows 
system can result in serious consequences, including the leakage of confiden- 
tial information and even the deletion of critical files. 



Windows defaults 

The default share permission depends on the Windows system version. 

Window 2000/M 

When creating shares in Windows NT and 2000, the group Everyone is given 
Full Control access in the share by default for all files to 



Chapter 11: Windows 



I Browse files 
Read files 



■-^ 1-^ tr* Read files 

DropBoote 



-JftNG/ 




Anyone who maps to the IPC$ connection with a null session (as described 
in the preceding section "Null Sessions") is automatically made part of the 
Everyone group! This means that remote hackers can automatically gain 
browse, read, and write access to a Windows NT or 2000 server if they estab- 
lish a null session. 

If share permissions are misconfigured, hackers on the Internet may gain 
access to these shares on an unprotected system and open, create, and 
delete files at will! 

Windows 2003 Serter 

In Windows 2003 Server, the Everyone group is given only Read access to 
shares. This is definitely an improvement over the defaults in Windows 2000 
and NT, but it's not the best setting for the utmost security. You still may 
have situations where you don't even want the Everyone group to have Read 
access to a share. 



Testing 

Assessing your share permissions is a good way to get an overall view of who 
can access what. This testing shows how vulnerable your network shares — 
and confidential information — can be. You can find shares with default per- 
missions and unnecessary access rights enabled. 

The best test for share permissions that shouldn't exist is to log in to the 
Windows computer and run an enumeration program so you can see who has 
access to what. 

bumpSec 

DumpSec shows the share permissions on your servers in a graphical form. 
You simply connect to the remote computer and select Dump Permissions for 
Shares in the Report menu. This produces shares labeled as unprotected, simi- 
lar to what's shown in Figure 11-13. 




This vulnerability exists in both Windows NT and Windows 2000 servers. 
Thank goodness Microsoft fixed this default weakness in Windows Server 2003! 



Part IV: Operating System Hacking 



OOkSv 



indows workstation security 



This chapter focuses on Windows Server OSs 
(NT, 2000, and Server 2003) with brief mentions 
of security issues involving Windows worksta- 
tion OSs (9x, Me, and XP), Windows servers are 
often the most critical servers on a network, but 
you shouldn't overlook the workstations. 

If you're running Windows 95, 98, or Me as the 
OS for your network workstations, it may be 
time to upgrade. These three OSs simply aren't 
made for secure networking. Even the older 
Windows NT has better security built-in. Why? 
Because that's how Microsoft designed it. 
Windows 9x and Me were designed for the 
casual home user — not for networking in a 
business setting. They support networking such 
as domain logins and file and printer sharing, 
but these security measures are easily circum- 
vented. Just try pressing Esc on your keyboard 
the next time you're presented with a login 
screen on one of these OSs. The login screen 
will go away, and you'll have full rights on 
the system. Your best bet for security and 
hacker countermeasures is to upgrade these 
old OSs — and most likely the hardware, too — 
to the latest and greatest computers running 
Windows XP Professional or newer. 

Although Windows XP is much more secure by 
default than its older siblings, take a couple 
more steps to make it as secure as possible: 

Apply the latest patches as described in the 
section "Windows Update" or by using an 
automated patch management tool. 

Run LANguard Network Security Scanner 
and the Microsoft Baseline Security Analyzer 



to identify any obvious security vulnerabili- 
ties, such as weak passwords and autologon. 

j^* Enable the Internet Connection Firewall 
(ICF). This personal firewall provides a 
tremendous amount of security over the 
standard configuration. It blocks all unso- 
licited inbound traffic unless that traffic is 
explicitly allowed. 

There are other firewall options as well, 
such as BlacklCE or ZoneAlarm. You may 
be able to run both ICF and a third-party 
firewall at the same time, but I don't rec- 
ommend it for system operation and stabil- 
ity purposes. 

To enable ICF on a Windows XP Professional 
system, perform the following steps: 

1. Load the Control Panel and then choose 
Networking and Internet Connections^ 
Network Connections. 

2. Right-click on the network adapter on 
which you want to enable ICF and select 
Properties. 

3. Click the Advanced tab and then select the 
Protect My Computer or Network by Limiting 
or Preventing Access to This Computer from 
the Internet check box. 

Supposedly, starting with Windows XP Service 
Pack 2, ICF will have many more advanced fea- 
tures such as firewalling being enabled by 
default, boot-time protection of the system, and 
support for various security profiles depending 
on how and where the user is logged in. 



LANguard 

LANguard Network Security Scanner also shows the share permissions on 
your servers in a graphical fashion. Figure 11-14 shows an example. 



Chapter 11: Windows 




Trpfe fn3: 

Unprotected 
shares in a 
Windows 
NT system. 



* - bomai soft DumpSec (formerly DumpAd) - \\10.1 



File Edit 5earch Report View Help 



flD IH$=C:\WIWT ( 



admin share) 

\Here2Bhacked (disktree) 
C$=G:\ (special admin share) 
Finance=C:\flccounting (disktree) 
HR=C :\HunanResoui ces (disktree) 
TEMP=C:\TEMP (disktree) 
InetPub=C:\InetPub (disktree) 



■-lnixi 



Account Own Permission 



admin-only (no dacl) 
unprotected (no dacl) 
admin-only (no dacl) 
unprotected (no dacl) 
all 

unprotected (no dacl) 
unprotected (no dacl) 

00001 



Figure 11-14: 

Unprotected 
shares in a 
remote 
Windows 
NT server. 



' GFI LANguard Network Security Scanner v(3.2) 



File Edit View Scan Patches Tools LANguard Tray Help 



© © I Q 



H O ADMIN$ - Remote Admin 
1 _i IPCS - Remote IPC 
a Here2Bhacked 
E3 C$ - Default share 
B L-i Finance 

]£ Share name : Finance 
\S Share remark : 
Of Share path : C:\Accounting 
kf No security permissions. 

a ^ hr 

j—L7 Share name : HR 

[if Share remark : 
!■— -U Share path : C:\HumanResoutces 
i_ Permissions 

^ Everyone; Allow Full Control 
B O TEMP 

; Of Share name: TEMP 
Of Share remark: 

GT Share path : CATEMP 

: ■ Of No security permissions. 
B CHnetPub 

0T Share name : InetPub 
BT Share remark: 
3 Share path : CAInetPub 
[•f No security permissions. 



General Security Tests 

As part of your ethical hacking, you can run the following security tests to 
determine other potential weaknesses in your Windows systems. 



Windows Update 

Windows Update is the simplest way to check for missing Windows patches — 
especially critical security updates. How you run Windows Update depends on 
your Windows version: 



Part IV: Operating System Hacking 



If you have Windows 2000, XP, or Server 2003, 
the Start menu. 



run Windows Update from 



oBocfe 



45 



Windows NT, browse to wi ndowsupdate . mi crosof t . com. On that 
click Scan for Updates to check your system for any missing 
patches. 

Microsoft has announced plans to stop providing updates for Windows 
NT. You can't assume that Windows Update will have patches for new 
security vulnerabilities discovered. 



Microsoft Baseline Security 
Analyzer (MBS A) 

Microsoft Baseline Security Analyzer (MBSA) is my preferred method for 
checking for missing security patches. MBSA is a free utility from Microsoft. 
MBSA checks Windows NT, 2000, XP, and Server 2003 systems for missing 
patches and also tests Windows, SQL Server, and IIS for such basic security 
settings as weak passwords. You can use these tests to identify security 
weaknesses in your systems. Figure 1 1-15 shows a sample of the security 
settings MBSA tests. 



£ Microsoft Baseline Security Analyzer 

iaseline Securit 



Figure 11-15: 

Testing 
basic 
Windows 
security 
settings. 




Sort Order: | Score (worst first) j 





Password 
Expiration 


Some unspecified user accounts (2 of 4) have non-explrtng 
passwords. 

What was scanned Result details How to correct this 


-] 




Local Account Some user accounts (I of 4) have blanker simple passwords, or 
Password Test could not be analysed. 








What was scanned Result detab 




✓ 


File System 


All hard drives (3) are using the NTFS file system. 
What was scanned Result details 


J 




Autokjgon 


Autologon is not configured on this computer. 

What was scanned 




✓ 


Guest Account 


The Guest account is disabled or- this computer. 




V 


Restrict 
Anonymous 


Computer is running with RestrlccAnonyrnous = 2. This level 
prevents access to any resources that do not have explicit 








permissions set for the Anonymous account, 








What was scanned 




✓ 


Administrators No more than 2 Administrators were found on this computer. 





SI 



With MBSA, you can scan either 

The local system you're logged into 

Computers across the network, if your currently logged-in user ID exists 
as an Administrator equivalent on the remote system you're testing 



Chapter 11: Windows 




MBSA requires an administrator account on the local machines you're scan- 
ning and a manual connection to them. 



oks 

LANquard 



LANguard Network Security Scanner is my favorite feature-rich patch and 
Windows vulnerability scanning tool. With LANguard, you can 



v 0 Test for vulnerabilities and missing patches 

v 0 Deploy patches across the network to remote systems 



Figure 11-16 shows the depth of information that this program can provide 
when scanning Windows systems for vulnerabilities and security settings. 
This type of information is very helpful when testing your own systems — 
especially if you have a large or complex network. 

This information is also very helpful to hackers, especially if they have deter- 
mined a local user's password. This way, they can authenticate to the system 
and check to see what patches and security settings are missing. 



Figure 11-16: 

Information 
on missing 
patches and 
weak 
security 
settings. 



File Edit Vew Scan Patches Tools LANguard Tray Help 



■-Inlxl 



O © 0 



E is 5- 



a & Target : ; 



LT0.11 12.200 



~3?l 



- O MS03-O3B \S24US) 

■ ♦ Title : Buffer Overrun In RPCSS Service Could Allow Code Execution [8241 46] 
« Reason: Wrong Hie version [4.0.1373.1] for Hie '^^10.11.12.200^C$yWIN^JT^syste^n32\ole32.dll , '. should be (4.0.1K1.7230] 
URL : http: //www. micro so f t . com/ T isc-r-if- J e t rc c u r i K' b i.j 1 1 ■:- M ri ,-' t .-1 :E; 03-039. asp 
B © MSC3-041 [823182) 

♦ Title : Vulnerability m Hiiihfctiiboifc Vet it cat ion Could a.lbw Remote Code Execution (823182) 

♦ Reason: Wrong tile version [4.75.1 374.1) tor file'WO 11.12 200\L^$WINNT 1 isystem32\WINTRUST. DLL'', should be (5.1 31 .1877.9) 
§ URL : http://www.micro5ott.eom/T eehHet.-'c eci intu.-'bi.jlli-Mi-i.-'f-IS 03-041. asp 

hi O MS03-043 [828035) 

• Title : Buller Overrun in Messenger Service Could Allow Code Execution (828035) 

* Reason: Wrong file version (4.0.1371.1) lor Hie "\M0.11.12.200\C$\WINHT\:,ystern32\wkssvc.dll". should be (4.0.1381.7236) 
URL : http://www.microsoll.eom/TechNet/:-eri iriiv/bi.illeiin/M::.03-043.asp 

E O MS03-045(824141) 
H © Patches which cannot be detected (21 ) 
B d Registry Alerts (20) 
E (*] AutoShareServer(1] 

-', C e . 1 1 p 1 1 o i The- a c ri ■ n 1 1 : .aire :ha:e: I'L t.D'j A[ Ml N't e:: I are neated en "n; ".iaehinc.lt you dorYr .i;e the--, ;-■ j'L-iaie'." -. 
@] Bugtraq ID/URL http ;i.rP'port. micro; oil cC'riJ:uppo^T.b.drhcle:. '0245/1/17. asp 
AutoShereWKS (2) 
Cached Logon Credentials 

0 Description : Could lead to information expesute. Should be set to 0 
Bugtraq ID/URL : http://is-it-tme.org/nt/atips/atips3G.shtml 



slop creating thi.: ;hari 



Ready 



I DCOM is enabled 

] Denial of service on port 1 35 
J Description : It is possible to 
S\ Bugtraq ID/URL : 6B8 



1 100 % by telneting >o pert I -ib" a- id enter bogus characters 



"i r 



It seems like no matter how many times you manually check local security 
settings and test to ensure that all patches are installed, a program such as 
LANguard Network Security Scanner or the popular and powerful Hyena 
(www . systemtool s .com/hyena) always seems to find security issues you 
may have overlooked. This is why I recommend that you include an all-in-one 
assessment tool, such as one of these programs, in your security toolbox. 



Part IV: Operating System Hacking 



DropBooks 



Chapter 12 

Linux 

In This Chapter 

Examining Linux hacking tools 

Port-scanning a Linux server 

Gleaning Linux information without logging in 

Exploiting common vulnerabilities when logged into Linux 

Minimizing Linux security risks 



DropBooks 



M inux — the new darling competitor to Microsoft — is the latest flavor of 
fi^UNIX that has really taken off in corporate networks. A common miscon- 
ception is that Windows is the most insecure operating system (OS). However, 
Linux — and most of its sister variants of UNIX — is prone to the same secu- 
rity vulnerabilities as any other operating system. 

Hackers are attacking Linux in droves because of its popularity and growing 
usage in today's network environment. Because some versions of Linux are 
free — in the sense that you don't have to pay for the base operating system — 
many organizations are installing Linux for their Web servers and e-mail 
servers in hopes of saving money. Linux has grown in popularity for other 
reasons, including the following: 

v 0 Abundant resources available, including books, Web sites, and consul- 
tant expertise. 

i>* Perception that Linux is more secure than Windows. 

V Unlikeliness that Linux will get hit with as many viruses (not necessarily 
worms) as Windows and its applications do. This is an area where Linux 
excels when it comes to security, but it probably won't stay that way. 

V Increased buy-in from other UNIX vendors, including IBM and Sun 
Microsystems. Even Novell is rewriting NetWare to be based on the 
Linux kernel. 



is* Growing ease of use. 



Part IV: Operating System Hacking 



ware ; 
kerne 



In addition to the password attacks I cover in Chapter 7 and some of the mal- 
ware attacks I cover in Chapter 14, many other attacks are possible against a 
ed system. Linux can be tested remotely without being authenti- 
he system. With all things being equal (that is, running the latest 
kernel and having the latest patches applied), it can be more difficult to glean 
the same amount of information from a Linux host than from a Windows or 
NetWare host without being logged in. After you log in to Linux with a valid 
username and password, you can glean a lot of information by running secu- 
rity tests to see how your system might stand up to a malicious internal user 
or hacker with a valid login. 

In this chapter, I show you some critical security issues in the Linux operat- 
ing system and outline some countermeasures to plug the holes so you can 
keep the bad guys out. A lot of this information applies to all flavors of UNIX. 

I demonstrate the vulnerabilities by using Red Hat Linux versions 7.3 and 8.0, 
running Linux kernel version 2.4.18. 1 use Red Hat because it's the most popu- 
lar and widely used Linux distribution. It's also the Linux that I prefer. 



Linux Vulnerabilities 

Vulnerabilities and hacker attacks against Linux are affecting a growing 
number of organizations — especially e-commerce companies and ISPs that 
rely on Linux for many of their systems. When Linux systems are hacked, the 
victim organizations can experience the same side effects as if they were run- 
ning Windows, including: 

W Leakage of confidential intellectual property and customer information 

V Passwords being cracked 

w 0 Systems taken completely offline by DoS attacks 

V Corrupted or deleted databases 



Choosing Tools 

You can use many UNIX-based security tools to test your Linux systems. 
Some are much better than others. I often find that my Windows-based com- 
mercial tools do as good a job as any. My favorites are as follows: 



Chapter 12: Linux 



ipBooks 



Windows-based SuperScan (www . f oundstone .com) for ping sweeps and 
TCP port scanning 



p (www . i n secure . org) for OS fingerprinting and more detailed port 
ning 

Windows-based LANguard Network Security Scanner (www . gf i . com) for 
port scanning, OS enumeration, and vulnerability testing 

THC-Amap (www .thc.org/releases.php) for application version 
mapping 

V Tiger (ftp . debi an . org/debi an/pool /mai n/t/ti ger) for automati- 
cally assessing local-system security settings 

Linux Security Auditing Tool (LSAT) (usat.sourceforge.net) for auto- 
matically assessing local-system security settings 

VLAD the Scanner (razor . bi ndvi ew . com/tool s/vl ad) to test for the 
SANS Top 10 Security Vulnerabilities 

f* QualysGuard (www . qua 1 y s . com) for OS fingerprinting, port scanning, 
and very detailed and accurate vulnerability testing 

Nessus (www . nessus . org) for OS fingerprinting, port scanning, and vul- 
nerability testing 



Thousands of other Linux hacking and testing tools are available. The key is 
to find a set of tools — preferably as few as possible — that can do the job 
that you need to do and that you feel comfortable working with. 



Information Gathering 



You can scan your Linux-based systems and gather information from both 
outside (if the system is a publicly accessible host) and inside your network. 

Scan from both directions so you see what the bad guys can see from both 
outside and inside the network. 



System scanning 



Linux services — called daemons — are the programs that run on a system 
and serve up various applications for users. 



Part IV: Operating System Hacking 



DBooku 



Internet services, such as the Apache Web server (httpd), telnet (telnetd), 
and FTP (ftpd), often give away too much information about the system, 
as software versions, internal IP addresses, and usernames. This 
mation can allow a hacker to attack a known weakness in the system. 



_ TCP and UDP small services such as echo, daytime, and chargen, are 
often enabled by default and don't need to be. 

The vulnerabilities inherent in your Linux systems depend on what services 
are running. You can perform basic port scans to glean information about 
what's running. 

The SuperScan results in Figure 12-1 show many potentially vulnerable ser- 
vices on this Linux system, including RPC, a Web server, telnet, and FTP. 



Figure 12-1: 

Port- 
scanning 
a Linux 
server with 
SuperScan. 



nosmame looki^j 


Lookup 


Resolved | 


Me | Interlace- | 



Configuration 




& Ignore IP zero 
P? Ignore IP 265 Read 
r Extract from Trie | |4000 



P Resolve hostnames 

I? Drily scan responsive pings 

W Show host responses 

f Ping or* 

(• Every port in list 

P All selected ports in list 

<*" All list ports Irom | 

i~ All ports from [~ 



|1 0.11.12205 
[10102205 

IBS 



t 10.11.12205 [Unknown] 

* 7 Echo 

i- • 13 Daytime 

l ■■ • 19 Character G enerator 

i * 21 File Transfer Protocol [Control] 

■ 220 ready, dude [vsFTPd 1.1.0: beat me. break me).. 
? • 22 SSH Remote Login Protocol 

I • 23 Telnet 
! ■ 8..' 

• 53 DomainNameServer 
! * 79 Finger 

S»» 80 WorldWideWebHTTP 

■ HTTP/1.1 403 Forbidden Date: Sun. 11 Jan 2004 20:49:40 GMT.. Ser 

• 111 SUN Remote Procedure Call 

• 199 'E.MU;- 

» 443 https MCom 

• 512 remote process execution; 

* 513 remote login a la telnet; 

* 514 cmd 

* 6000 6000-6063 X Window System 



■ i :■ : t 
Open ports 



■ "Z'Eid- 9 4L |: I ed 1 1 -at L fi-.J -: I : ept-F l-Enge:: byte-: _c v.? 



Save | 
Collapse all | 
Expand al | 

Prune | 



In addition to SuperScan, you can run another scanner, such as Nessus or 
LANguard Network Security Scanner, against the system to try to glean more 
information, including 

z>* A vulnerable version of OpenSSH, as shown in Figure 12-2 

The finger information returned by LANguard, as shown in Figure 12-3 



Chapter 12: Linux 




Figure 12-2: 

Using 
Nessus to 
discover a 
vulnerability 
with 
OpenSSH. 



l/lcp] 

. Wcp] 

Q ssh[22/lcp| 

A ssh[22/tcp) 
A ssh[22/tcp) 
O sunrpctlHAcp] 
A sunrpc (111/tcp) 
A sunrpc (111/tcp) 
O sunrpc 11 1 Vudp) 
A sunipc(HVudp) 
O telnet (23/tcp] 
A telnet (23/tcp] 
O unknown |327S87tcp] 

unknown (32788/lcp) 
O unknown |32768/udp] 
A unknown (32768/udp] 

unknown (32788/udp] 
O unknown (32769/tcp) 
A unknown |327G9/tcp] 
O k11 [GOOOAcp) 
A k11 (BOOO/tcp) 



10.11.12.205 






F' ugh information 
PluojnID: 11837 
OpenSSH < 3.7.1 


Vulnerability 

£l± ssh [22/tcp) 

'■F High severity 

r This vulnerability Is (else positive 


Description: 



An exploit tor this issue is rumored to 



Note that several distribution patched this hole without changing 
the version number ot OpenSSH. Since Nessus solely relied on the 
banner ol the remote SSH server to perform this cheek, this might 
taJse positive. 

re that the command ; 



?r-3.1p1 -1 3 [RedHat 7.x) 



Figure 12-3: 

LANguard 
Network 
Security 
Scanner 
gleaning 
user 
information 
via finger. 



* GFI LANguard Network Security Scanner v(3.3) 



File Edit View Scan Patches Tools LANguard Tray Help 



m IS & Target 



- m |^mfJ^i|.|||ii l niiij l f jjflf i|[ 

Jgj SNMP (system) 

Of Time to live (TTLJ : 64 (64] ■ Same network segment 
H & TCP Ports (13) 

E- • 13 [ Daytime => Time of day ] 
E ■ tfp 21 [ Ftp => File Transfer Protocol ] 

• 22[Ssh=> Remote Login Protocol ] 
o 23 [ Telnet ■> Remote Login Protocol ] 
O 53 [ Domain => Domain Name Server ] 

• 79 [Finger] 

Login Name Tty Idle Login Time Office Office Phone 
R g kbeaver pts/Q 2 Jan 11 15:08 (pd) 

Of Login: kbeaver Name: (null) 
Of Directory: /home/kbeaver Shell: /bin/bash 
GT OrtsHiceSunJanll 15:08 (EST] on pts/0 fiom pel 
[2f 2 minutes 27 seconds idle 
j- Gf No marl. 
-GT No Plan. 

ffl t *j 80 [ Http => World WideWeb, HTTP] Apache/2.0.40 (Red Hat Linux] 
B • 111 [SunRPC=> SUN Remote Procedure Call ] 

• 443 [ HttpS => Secure HTTP ] 

• 51 2 [ Exec => Remote process execution ] 

• 51 3 [ Login => R emote login (a la telnet) ] 

• 514[Shell=>cmd] 
o 6000[Xsefver] 
UDP Ports (8) 

o 53 [ DNS => Domain Name Sefver ] 

• 11 1 [ RPC => SUN Remote Procedure Call ] 
© 123[NTP=>NetworkTimeProtocol] 
o 161 [ SNMP => Simple Network Management Protocol ] 
o 162 [SNMP trap] 

j— • 520 [ router => Router routed RIPv.1, RIPv.2 ] 
© 1 433 [ ms-sql-s => Microsoft SQL Server ] 

• 1 51 2 [ wins => Microsoft Windows Internet Name Service ] 

[Ready 



J 



•J 



LANguard even determined that the server is running the Berkeley Software 
Distribution (BSD) r-services and more in the Alerts section of Figure 12-3. It 



Part IV: Operating System Hacking 



tne luki 

:>Bodte 



also displays a description of the potential vulnerability, as well as a link to 
the CERT Web site, which contains more information about it. Figure 12-3 also 
at LANguard thinks the remote operating system is Red Hat Linux, 
mation can be handy when you come across unfamiliar open ports. 



Figure 12-4 shows various r-services and other daemons that network admin- 
istrators are notorious for running unnecessarily on UNIX-based operating 
systems. Notice that LANguard points out specific vulnerabilities associated 
with some of the these services, along with a recommendation to use SSH as 
an alternative. 



Figure 12-4: 

Potentially 
vulnerable 
r-services 
found by 
LANguard. 



I^GFI LANguard Network Security Si 



File Edit H 



;w Scan Patches Tools LANguard Tray Help 

0 ftj tH & 5* | & -ft!B| Id T«t»I:Sj|10.11 .12.205 



Alerts |8] 

l3 ServiceAlerts[6) 

B (3 SNMP service is enabled cm this host 

['eiLNph'jf' N .imerc-ij: ■.■■.ihier-=blitie; have beeri rapc^ad in mUhple ■.■a-idcr:' ': "IMF mplernenlatior s. You should check if your system is vulnerable. 
Sugtraq ID/URL : http://www cert.OFg/advisories/CA-2002-03 html 
B {*] Finger service is running 

H Descriphcr Fi- - iaer can Give- an a" ad er ,i:a|i,l irilcr"a:iC'n. :1.1c h a: lager accci.nt: and (rusted hosts. 
B g] REXEC service enabled 

0 Description : This service is vulnerable to TCP spooling attacks If possible use SSH instead. 

@ Bugtraq ID/URL : http://www.cert org/tech_tips/usc20_full htmltt2 4 
B £] RL0GIN service enabled 

Ef Description : This service is vulnerable to TCP spooling attacks. If possible use SSH instead. 

@ Bugtraq ID/URL ; http://www.cert.org/techJips/usc2C_fijll htmltt2 4 
B Q RSH service enabled 

_f Description : This service is vulnerable to TCP spooling attacks If possible use SSH instead. 

|_ Bugtraq ID/URL : http://www.certorg/tech_tips/usc2C_full.htmltlZ4 
&-- g] Telnet service is running 

_f Description Thi: ;ervn:e 1: dangc- 1 au.: be: au.:a ii cor : .-r anci.p' daia '"■c-. , i: live- rVurmaiiC'i" .Karnarneo+pa; :.■.■■ 1 a rd.:l c an be :ntted. If possible use ! 
i__ RPC Alerts (1) 
H (_!] lam service running 

_: ['p'cripiicr --er rior : c "ni: :a"-i:c- :a ■■■i.lre'able iFii.n arbiircr. c jriMianc: a: r ■:. 0 1 1 



You can go a step further and find out the exact distribution and kernel ver- 
sion by running an OS fingerprint scan using Nmap, as shown in Figure 12-5. 



Figure 12-5: 

Using Nmap 
to determine 
the OS 
kernel 
version of 
a Linux 
server. 



PORT 
?/tcp 
L3/tcp 



d Tine 
ting po 
(Hie 1639 port 



nap -sU -0 10. 11. 12. 205 

48 < http://www. insi 

s an 10.11.12.205: 
scanned but not she 
UERSION 



2004-0111 17:27 Ea 



STATE SERUICE 
open echo 
open daytime 
open charge n? 
ftp 



53^tcp 

79/tcp 

)0/tcp 

111/tcp 

199/tcp 

443 /tcp 

J12/tcp 

J13/tcp 

il4/tcp 

173/tcp 

[241/tcp 

6000/tcp 



open 
open 
o pc- n 



elnet Linux telnetd 

omain ISC Bind 9.2.1 

inger Linux f ingerd 

ttp flpaclie httpd 2.0.40 <<Red Hat Linux>> 

pcbind 2 <rpc B1O0B00> 

mux Linux SNMP multiplexer 

si Microsoft IIS SSL 



1 type: general purpose 
ig: Linux 2.4.X !2.5.X 
ails: Linux Kernel 2.4.0 - 2.5.20 
1.605 days <since Sat Jan 10 02:57:27 2004> 

'irn completed — 1 IP address <1 host up> scanned 



108.896 seconds 



The QualysGuard scan of a Linux server shown in Figure 12-6 outlines threats 
to the system in an informative graphic form that nontechie types — the ones 
to whom you may be showing the results — just love. 



Chapter 12: Linux 



BSE 

File Edit 




Figure 12-6: 

Linux 
threats 
outlined in a 
QualysGuard 
scan. 



Results - Microsoft Internet Lxpl 



m 

Tools Help 



JJfl SlS»* jJFavorites 3«ed,a J .> J|. J Jt • 
fcdQualys Scar of Linux S.o| 



■-Inlxl l 



(^Search Web - 



3 



i8 ^ I <P P '"^»|gl3Mpopupiafc».d fflnJoFill Q j B° * 



lss>T 



* | Q Dictionary 



Times Detected: 1 



Possible Threats (3) BS 



5 Statd Format Bug Vulnerability 

QID: 66040 Category: RPC CVE ID: CVE-2000-066S CAN- 2000-0800 
First Detected: 12/31/2003 at 21:43:06 Last Detected: 12/31/2003 at 21:4 
DESCRIPTION: 

The rp: :t?.id pi jch-es'Ti, ■■■.■h c-i i: pa'l r- the "it:-irtil: p a.ie: : :l ::nbi,ted , ". ,r, "i ■■■■ PUTnoei jt i l ! I a r _nu:- d e iiji.rtiii r, e . The 'pc e tat^ii :ei ■: an RF'iI 
server thai implements the Network Statu: arid Miinitor rtC fjrotocc-s. It'.- a component or the Met u:k File System (NFS) architecture. 

i :.il :E t.fiT lI contain; a tor mat Ltrrig ■■.■■uTieiialiiiiv ■.■■•lieri .JallTKi the i : ,'.eIul;i.I lunc tic.n. Il'ii Yulnei.aijilrtv allc.n'i remote user £: to execute code a; root The loyuiri-j 

code in rpc.statd uses the syslogO function to pass user-supplied date as the format string A malicious user can construct a format string that inlects 
executable code into the process address space and overwrites a function's return address, forcing the program to execute the code . 

tails to drop these privileges later on Thereto re, code injected by the malicious user will 
r 1 1 -.t H e- ■ PreLu'TialjIy, .anv Lmi.i ■ diniibui e n ili.at n.;n: Hie E'at'.i [.■! ■!■■:■=■£ i ii ■.■ulnei.aljie, 



Debiar . r-:ed -lat and c or nectr-a have a 1 1 elea:ed adviicne; or. si 
unless already patched for the problem. 

CONSEQUENCES: 

If successfully exploited, unauthorized users can execute remote 

SOLUTION: 

You should get a patch from your vendor, or disable the statd service. 

RESULT: 

No results available 



OpenSSH Multiple Memory Management Vulnerabilities 
► 5 OpenSSH Reverse DNS Lookup Access Control Bypass Vulnerability 



■ Dene 



port:22 
port:22 

~~ |gi My ComputeT" 



Comtermeasures 




Although you can't completely prevent system scanning, you can still imple- 
ment the following countermeasures to keep the bad guys from gleaning too 
much information from your systems: 

f* Protect the systems with either 

• A firewall, such as netfilter/iptables (www . netf i 1 ter .org). 

• A host-based intrusion-prevention application, such as PortSentry 

(sourceforge. net/projects/sentry tool s) now owned by 
Cisco Systems (www . psi oni c .com) or SNARE (www . intersect 
alliance. com/pro jects/Snare). 

These security systems are the best way to prevent an attacker from 
gathering information about your Linux systems. 

Disable the services you don't need, including RPC and such daemons 
as HTTP, FTP, and telnet. You may very well need some of these dae- 
mons and more — just make sure you have a business need for them. 
This keeps the services from showing up in a port scan and, thus, gives 
an attacker less incentive to break into your system. 

u* Make sure the latest software and patches are loaded; if a hacker deter- 
mines what you're running, the chances of exploitation are reduced. 



200 P art Operating System Hacking 



Unneeded Services 



DropBook& 

Web serve 



know which applications are running — such as FTP, telnet, and a 
Web server — it's nice to know exactly which versions are running so you 
can look up any of their associated vulnerabilities and decide whether to just 
turn them off. 



Searches 

Several security tools can help determine vulnerabilities. These types of utili- 
ties may not be able to identify all applications down to the exact version 
number, but they're a very powerful way of gleaning system information. 




Vutnembitities 

Be especially mindful of these known security weaknesses in a system: 

FTP — especially if it's not properly configured — can provide a way for 
a hacker to download and access files on your system. 

Telnet is vulnerable to network-analyzer captures of the clear-text user 
ID and password it uses. 

i>* Old versions of sendmail — the world's most popular e-mail server — 
have many security issues. 

Make sure sendmail is patched and hardened. 

R-services such as rlogin, rdist, rexecd, rsh, and rep are especially vul- 
nerable to hacker attacks, as I discuss in this chapter. 



Toots 

The following tools can perform more in-depth information gathering beyond 
port scanning to enumerate your Linux systems and see what the hackers see: 



Nmap can check for specific versions of the services loaded, as shown in 
Figure 12-7. Simply run Nmap with this command-line switch: 

-sV 



Amap is similar to Nmap, but it has a couple of advantages: 

• Amap is much faster for these types of scans. 

• Amap can detect applications that are configured to run on non- 
standard ports, such as Apache running on port 6789 instead of 
its default 80. 

The output of an Amap scan of the localhost (hence, the 127.0.0.1 
address) is shown in Figure 12-8. Amap was run with the following 
options to enumerate some commonly hacked ports: 



Chapter 12: Linux 201 



DropBooks 




- 1 makes the scan run faster. 

- b prints the responses in ASCII characters, 

-q skips reporting of closed ports. 

21 probes port. 

22 probes SSH port. 

23 probes telnet port. 

80 probes HTTP port. 

f" netstat shows the currently running services on a local machine. Enter 
this command: 

netstat -anp 

f" List Open Files (lsof) displays processes that are listening and files that 
are open on the system 

To run lsof, enter this command at a Linux command prompt: 

lsof -i +M 

Chapter 14 covers more on usage of lsof as well. 



Figure 12-7: 

Using Nmap 
to check 
application 
versions. 



!' DOS Prompt 








hi.iq 




nap - 










-' 


Starting 




3.48 C ht 


p://w«w. insecure .org/nnap 


> at 2004-0111 18:58 


Eastern 




Standard 


line 












jig ports on 10 


11.12.205: 








<The 1639 port 


s scanned 


but not shoun below are i 


state: closed) 






PORT 


STATE 


SERUICE 


UERSION 








?/tcp 














13/tcp 


open 












19/tcp 




charge n. 










21/tcp 


open 




usFTPd 1.1.0 








22/tcp 




ssh 


OpenSSH 3.4pl Cprotocol 1 


99) 






J3/tcp 


open 


telnet 


Linux telnetd 












domain 


ISC Bind 9.2.1 








?9/tcp 




f inger 


Linux f inger d 








BB/tcp 


open 


http 


ft Viae he httpd 2.0.40 <<Red 


Hat Linux)) 






Lll/tcp 






2 <rpc 8100000) 








199/tcp 


open 




Linux SNMP multiplexer 








*43/tcp 




ssl* 


Microsoft IIS SSL 








3i2/tcp 


open 












513/tcp 




login? 










J14/tcp 




shell? 










873/tcp 


open 


rsync? 










1241/tcp 














6000/tcp 


open 


Xll 


(access denied) 










conpleted — 1 


IP address <1 host up) sc 


nned in 100. 825 secon 


a 




|c:\nnap> 












•! 



Figure 12-8: 

Using Amap 
to check 
application 
versions. 



l-lnlxl 



File Edit View Options 

a n $ si* 



TransFer Script Window He!p 

e q i ^ % m i mi 



Protocol on 127 . 0 . 0 . 1 :S0/'tcp matches http - banner: HTTP/1.1 403 Forta elder. \r ViDate Sun. 11 Tan 2004 2332. 

9 GMTSrViServer Apache/2.0.40 (Red Hat Linux>\r\nHccept-Ranges bytes SrSnContent-Length 2898\r\nConrectior 

close \r\nContent-Type tBXtAitwl; charset=IS0-8859-l\r\n\r\iv ! IiuZT VPE HTML PUBLIC "-//U3C//DTD H 
Protocol on 127.0.0.1:22/tcp matches ssh - banner: SSH-1.9?-0penSSH_3.4pl\n 

Protocol on 127 .0.0. l:22/tcp matches ssh-openssh - banner: SSH- 1.99- OpenSSH _3.4pl\nProtocol mismatch. \n 
Protocol on 127.0.0.1:23/tcp watches telnet - banner: ** 

Protocol on 127 .0 .0 . 1 1 21 /tap matches ftp - banner: 220 ready, dude (usFTPd 1.1.0 beat me, break ne)SrSnE 
0 Please login with USER and PPISS,\rVi530 Please login with USER and PHSS.\r\n 

Unidentified ports: none. 

atnap u4.5 finished at 2004-01-11 15:32:19 

CrootSlocalhost amap-4.5]* | 2 



Sshl:3DES 16, 23 16 Rows, 10t Cols VT100 



202 Part IV: Operating System Hacking 



DropBoofe 




ing the doors and windows in your house — the more you lock, the fewer 
places an intruder can enter. 

bisabtinq unneeded services 

The best method of disabling unneeded services depends on how the daemon 
is being loaded in the first place. There are several places to do this, depend- 
ing on the version of Linux you're running. 



inetd.conf 

If it makes good business sense — in other words, you don't need it — disable 
unneeded services by commenting out the loading of daemons you don't need. 
Follow these steps: 

1. Enter the following command at the command prompt: 



The process ID (PID) for each daemon, including inetd, is listed on the 
screen. In Figure 12-9, the PID for the sshd (Secure Shell) daemon is 646. 

2. Copy the PID for inetd from the screen on a notepad. 

3. Open /etc/inetd.confin the Linux text editor vi by entering the fol- 
lowing command: 

vi /etc/i netd . conf 

4. When you have the file loaded in vi, enable the insert (edit) mode by 
pressing I. 

5. Move the cursor to the beginning of the line of the daemon that you 
want to disable, such as httpd (Web server daemon), and type # at the 
beginning of the line. 

This comments out the line and prevents it from loading when you 
reboot the server or restart inetd. 

6. To exit vi and save your changes, simply press Esc to exit the insert 
mode, type :wq, and then press Enter. 

This tells vi that you want to write your changes and quit. 

7. Restart inetd by entering this command with the inetd PID: 

kill -HUP PID 




If you don't need a service running, take the safe route. Turn it off! 



ps -aux 



Chapter 12: Linux 



pBocp 



Figure 12-9: 

Viewing the 
process IDs 
for running 
daemons 



ps 



using 
-aux. 





















3 


File Edit 


View Options 


Transfer Script Wiridou 


Help 










1 , 


CP m 


I* 




& 


\ % 














--l.il- n'.. - J 


ps -= 














- 


i l/C 




'CPU 


XMEM 


VSZ 




STfiT 


START 


TIME COMMAND 




i r\ 




k 0.0 


0.2 


1264 


460 7 


S 


Febu6 


0 


04 init 






fei " 




I: .0 


0.0 


0 


0 7 


5H 


Feb06 


0 


00 Ckeuentd] 










0.0 


0.0 


0 




SH 


Feb06 


0 


00 [kapMd] 








4 


0.0 


0.0 


0 


0 7 


SUN 


Feb06 


0 


00 [ksoftirqd.CPUO] 








5 


0.0 


0.0 


0 


0 ? 


SH 


Feb06 


0 


03 Lksuapd] 








6 


0.0 


0.0 


0 


0 7 


SH 


FebOif 


0 


00 Lbdflush] 








7 


0.0 


o.c 


0 


0 7 


SH 


Feb06 


0 


00 [kupdated] 








8 


0.0 


0.0 


0 


0 ? 


SH 


Feb06 


0 


00 [ndreccweryd] 








14 


0.0 


0.0 


0 


0 7 


SH 


Feb06 


0 


00 [scsi_eh_0] 








17 


0.0 


0.0 


0 


0 ? 


SH 


Feo'jt 


0 


01 Ckjournaldl 








73 


0.0 


o.c 


0 


0 ? 


SH 


Feb 06 


0 


00 Lkhubdll 








165 


0.0 


0.0 


0 


0 ? 


SH 


FeWe 


0 


00 Ck journal d] 








407 


0.0 


0.0 


0 


0 7 


SH 


Feb06 


0 


00 CethO] 








461 


0.0 


0.2 


1324 


532 ? 


5 


Fe-j'Jt 


0 


00 syslogd -w 0 








465 


0.0 


0.2 


1264 


432 7 


S 


FebOb 


0 


00 klogd -x 








463 


0.0 


0,2 




524 7 


5 


FebOO 


0 


00 port nap 






rpcuser 


502 


0.0 
0.0 


0.3 
0.2 


1444 
1256 


728 7 
488 7 


S 
S 


Feb06 
Feb06 


0 

0 


00 rpc.statd 

00 Ajsr/sbin/apmd -p 10 ~ui 


5 -W -P 






620 


0.0 


1.2 


7732 


2332 7 


S 


Feb06 


1 


17 Ajsr/sbin/snmptrapd -s 


-u /var/r 




naned 


629 


0.0 


1.2 


luii.2J 


2484 7 


S 


Feb06 


0 


00 named -u named 








646 


0.0 


0.7 


3200 


142B 7 


S 


Feb06 


0 


10 Ajsr/sbin/sshd 








660 


0.0 


0.4 


1996 


916 ? 


S 


Feb06 


0 


00 xinetd -stayaiive -reus 


i -pidfil 






674 


0.0 


0.9 


1836 


1828 7 


SL 


Feb06 


0 


00 ntpd -U ntp 








693 


0.0 


0.2 


3196 


528 7 


S 


Feb06 


0 


00 rpc.rquotad 








698 


0.0 


0.0 


0 


0 7 


5H 


Feb06 


0 


00 Cnfsd] 


















sshl ; 3DES 


'27, Z7 27ROWS, 95COIS VT100 







chkconfig 

If you don't have an inetd.conf file, your version of Linux is probably run- 
ning xinetd (www . xi netd .org) — a more secure replacement for inetd — to 
listen for incoming network application requests. You can edit the /etc/ 
xinetd.conf file if this is the case. For more information on the usage of 
xinetd and xi netd . conf, enter man xinetd or man xinetd.conf at a Linux 
command prompt. If you're running Red Hat 7.0 or later, you can run the 
/sbi n/ch kconf i g program to turn off the daemons you don't want to load. 

For example, you can enter the following to disable the snmp daemon: 

chkconfig --del snmpd 

You can also enter chkconfig — list at a command prompt to see what ser- 
vices are enabled in the xinetd.conf file. 




The chkconfig program can be used to disable other services, such as FTP, 
telnet, and Web server. 



Access control 

TCP Wrappers can control access to critical services that you run, such as 
FTP or HTTP. This program controls access for TCP services and logs their 
usage, helping you control access via hostname or IP address and track mali- 
cious activities. 

You can download it from www . Stanford, edu/group/itss-ccs/security/ 
unix/tcpwrappers.html. 



Part IV: Operating System Hacking 



.rhosts and hosts. equiti Files 

d Books. 

PracticalK 



nd all the flavors of UNIX — are very file-based operating systems. 
Practically everything that's done on the system involves the manipulation of 
files. This is why so many attacks against Linux are at the file level. 



Hacks 

If hackers can capture a user ID and password by using a network analyzer, or 
can crash an application and gain root access via a buffer overflow, one thing 
they look for is what users are trusted by the local system. The /etc/hosts, 
equi v and .rhosts files list this information. 

.rhosts 

The $home/ . rhosts files in Linux specify which remote users can access 
the Berkeley Software Distribution (BSD) r-commands (such as rsh, rep, and 
rlogin) on the local system without a password. This file is in a specific user's 
home directory, such as / home/jsmith.A .rhosts file may look like the this: 



tribe scott 
tribe eddie 










This file allows users 


Scott and Eddie on the 


remote-system tribe 


to login to 



the local host with the same privileges as the local user. If a plus sign (+) is 
entered in the remote-host and user fields, any user from any host could log 
in to the local system. The hacker can add entries into this file by 

v 0 Manually manipulating it. 

V Running a script that exploits an insecure Common Gateway Interface 
(CGI) script on a Web-server application that's running on the system. 

This configuration file is a prime target for a hacker attack. On most Linux 
systems I've tested, these files aren't enabled by default. However, a user can 
create one in his or her home directory on the system — intentionally or 
accidentally — which can create a major security hole on your system. 

hosts.e^uiU 

The /etc/hosts. equiv specifies which accounts on the system can access 
services on the local host. For example, if tribe were listed in this file, all 
users on the tribe system would be allowed access! As with the .rhosts file, 
external hackers can read this file and then spoof their IP address and host- 
name to gain unauthorized access to the local system. Hackers can also use 
the names located in the .rhosts and hosts. equiv files to look for names of 
other computers to attack. 



Chapter 12: Linux 205 



Countermeasures 



DropBocfe 



of the following countermeasures to prevent hacker attacks against 
sts and hosts. equiv files in your Linux system. 



Disabling commands 

A good way to prevent abuse of these files is to disable the BSD r-commands 
altogether. This can be done by either 

Commenting out the lines starting with shell, login, and exec in 
i netd . conf . 

i>* Editing the rexec , rlogin, and rsh files located in the /etc/ 
xi netd . d directory. Open each file in a text editor, and change 
di sabl e = no to di sabl e=yes, as shown in Figure 12-10. 



Figure 12-10: 

The rexec 
file showing 
the disable 
option. 




E^LinuH - SecureCRT 



File Edit View Options Transfer Script Window Help 

3 9 



to.|« 1 m if S§ I ■? 



Croot@localhost xinetd.dltt cat rexec 

• default; off 

tt description; Rexecd is the server for the rexec(3) routine. The server 

* provides remote execution facilities with authentication based \ 
tt on user names and passwords. 

service exec 



3 



disable = yes 

socket_type 

wait 

log_on_success 
log_on_failure 
server 

} 

[root@localhost xinetd.dl* 
Ready 



= stream 
= no 
= root 
^ USEPIII 
♦= USERID 

= /usr/sbin/in. rexecd 



|sshl:3DES 16,28 1 6 Rows, 75 Cols |VT100 | f 



In Red Hat Linux, you can disable the BSD r-commands with the setup program: 

1. Enter setup at a command prompt. 

2. Select System Services from the menu. 

3. Remove the asterisks next to each of the r-services. 



Blocking access 

A couple of countermeasures can block rogue access of the . r hosts and 

hosts . equi v files: 

is* Block spoofed addresses at the firewall, as I outline in Chapter 9. 

f Set the permissions on these files so that only the owners can read 
them. 



Part IV: Operating System Hacking 



• . r hosts: Enter this command in each user's home directory: 

chmod 600 .rhosts 
hosts. equiv: Enter this command in the /etc directory: 
chmod 600 hosts. equiv 

You can also use Tripwire (www . tri pwi re . org) to monitor these files and be 
alerted when access or changes are made. 



NFS 

The Network File System (NFS) is used to mount remote file systems (similar 
to shares in Windows) from the local machine. 



Hacks 

If NFS was setup improperly or its configuration has been tampered with — 
namely, the /etc/exports file containing a setting that allows the world to 



read the entire file system — remote hackers can easily obtain remote access 



and do anything they want on the 
lowing in the /etc/exports file: 


: system. Al 


it takes is a line such as the fol- 


/ rw 










This line basically says anyone can remotely mount the root partition in a 
read-write fashion. Of course, the following conditions must also be true: 



W The NFS daemon (nfsd) must be loaded, along with the portmap daemon 
that would map NFS to RPC. 

t<" The firewall must allow the nfs traffic through. 

i>* The remote systems that are allowed into the server running the NFS 
daemon must be placed into the / etc/hosts. allow file. 



This remote-mounting capability is easy to misconfigure. It's often related to 
a Linux administrator's not understanding what it takes to share out the NFS 
mounts and just resorting to the easiest way possible to get it working. After 
hackers can gain remote access, the system is theirs. 



DropBooks 



Chapter 12: Linux 207 



Countermeasures 



DropBocte 



defense against NFS hacking depends on whether you actually need 
ce running. 



v 0 If you don't need NFS, disable it altogether. 

f If you need NFS, implement both of the following countermeasures: 

• Filter NFS traffic at the firewall — typically, TCP port 1 1 1 if you 
want to filter all RPC traffic. 

• Make sure that your /etc/exports and /etc/hosts . a 1 1 ow files 
are configured properly to keep the world outside your network. 



File Permission 

In Linux, special file types allow programs to run with the file owner's rights: 

IV SetUID (for user IDs) 
V SetGID (for group IDs) 

SetUID and SetGIF are required when a user runs a program that needs full 
access to the system to perform its tasks. For example, when a user invokes 
the passwd program to his or her password, the program is actually loaded 
and run with root or any other user's privileges. This is done so that the user 
can run the program, and the program can update the password database 
without root's having to get involved in the process manually. 



Hacks 

By default, rogue programs that run with root privileges can be easily hidden. 
A hacker may do this to hide such hacking files as rootkits on the system. 



Countermeasures 

You can test for these rogue programs by using both manual and automated 
testing methods. 



208 P art 'V: Operating System Hacking 



Manual testing 



^ |— ^ The follov 

DropBooKa 



following commands can identify SetUID and SetGID programs: 
rams that are configured for SetUID: 




find / -perm -4000 -print 
i>* Programs that are configured for SetGID: 

find / -perm -2000 -print 
i>* Files that are readable by anyone in the world: 

find / -perm -2 -type f -print 
«* Hidden files: 

f i nd / -name " .*" 



You probably have hundreds of files in each of these categories, so don't be 
alarmed. When you discover files with these attributes set, you'll need to 
make sure that they are actually supposed to have those attributes by 
researching in your documentation, on the Internet, or even by comparing 
them to a known secure system or data backup. 

Keep an eye on your systems to detect any new SetUID or SetGID files that 
suddenly appear. 

Automatic testing 

You can use an automated file-modification auditing program to alert you 
when these types of changes are made. This is what I recommend — it's a lot 
easier on an ongoing basis. 



A change-detection application, such as Tripwire, can help you keep 
track of what changed and when. 

A file-monitoring program, such as COPS (dan. dry dog. com/cops), finds 
files that have changed in status (such as a new SetUID or removed 
SetGID). 



Buffer 0</erf louts 

RPC and other vulnerable daemons are common methods for buffer-overflow 
attacks. Buffer-overflow attacks are often how the hacker can get in to modify 
system files, read database files, and more. 



Chapter 12: Linux 



Attacks 



DropBoQfe 



Ser-overflow attack, the hacker either manually sends strings of infor- 
fo the victim Linux machine or writes a script to do so. These strings 





contain 

u* Instructions to the processor to basically do nothing, 
f Malicious code to replace the attacked process. 

For example, exec ( " / b i n / s h " ) creates a shell command prompt. 
A pointer to the start of the malicious code in the memory buffer. 



If an attacked application (such as FTP or RPC) is running as root (many pro- 
grams do), this can give the hacker root permissions in his remote shell. 

You can run security-testing tools against your systems to test for buffer 
overflows, but I don't recommend it, because it can crash your system! 



Countermeasures 



Three main countermeasures can help prevent buffer-overflow attacks: 



Disable unneeded services. 

Protect your Linux systems with either a firewall or host-based intrusion 
prevention. 

Enable another access control mechanism, such as TCP Wrappers, that 
authenticates users with a password. 

Don't just enable access controls via an IP address or hostname. That 
can easily be spoofed. 



Always make sure that your systems have been updated with the latest 
kernel and security patches. 



Physical Security 



Some Linux vulnerabilities involve the hacker's actually being at the system 
console. 



210 Part IV: Operating System Hacking 



Hacks 



DropBoqfe 



lacker is at the system console, anything goes, including rebooting 
m (even if no one is logged in) simply by pressing Ctrl+Alt+Del. After 
the system is rebooted, the hacker can start it up in single-user mode, which 
allows the hacker to zero out the root password or possibly even read the 
entire /etc/passwd or /etc/shadow file. 



Countermeasures 

Edit your /etc/inittab file and remark out (place a # sign in front of) the 
line that reads ca :: Ctrl al tdel : /sbi n/shutdown -t3 -r now, as shown 
in the last line of Figure 12-11. 



Figure 12-11: 

/etc/i ni 
ttab 
showing the 
line that 
allows a 
Ctrl+Alt+Del 
shutdown. 



File Edit View Options Transfer Script Window Help 



l-lnlxl 



[kbetf.'ei'-II'lO'ialhOLi:. etc] f 
t inittab This filr 



I Default runlevel. The runlevels used by RHS are: 

I 0 - halt (Do NOT set initdefault to this) 

I 1 - Single user mode 

I 2 - Multiuser, without NFS <The same as 3, if you do not have networking) 

I 3 - Full multiuser mode 

I 4 - unused 

t 5 - Mil 

I 6 - reboot (Do HOT set initdefault to this) 



id:5:initdefault: 



10:0:i.iait:/etc/rc.d/rc 0 
ll:l:uait:/etc/rc.d/rc 1 
12;2:. 1 .ait:/etc/rc.d/rc 2 
13:3:i.iait:/etc/rc.d/rc 3 
14:4:uait:^etc/rc.d/rc 4 
15:5:uait:/etc/rc.d/rc 5 
Ibibiiiiaiti/etc/rcd/rc 6 



Sshl:3DE5 I 35, 26 , 36 ROWS, 107 Cds |VT1DD 




If you believe that a hacker has recently gained access to your system either 
physically or by exploiting a vulnerability such as a weak password or buffer 
overflow, you can use the last program to view the last few logins into the 
system to check for strange login IDs or login times. This program peruses 
the /var/1 og/wtmp file and displays the users who logged in last. You can 
enter last | h e a d to view the first part of the file (the first ten lines) if you 
want to see the most recent logins. 



Chapter 12: Linux 211 



General Security Tests 

DropBooks 

systems. .< 



ssess critical, and often-overlooked, security issues on your Linux 
systems, such as the following: 

Misconfigurations or unauthorized entries in the / etc/passwd and 
/etc/shadow files 

u* Password policies 



v 0 Users equivalent to root 

v 0 Suspicious automated tasks configured in cron 
f* Signature checks on system binary files 
i>* Checks for rootkits 

v* Network configuration, including measures to prevent packet spoofing 
and other DoS attacks 

Permissions on system log files 



You can do all these assessments manually — or, better yet, use an automated 
tool to do it for you! Figure 12-12 shows the initiation of the Tiger security 
auditing tool, and Figure 12-13 shows a portion of the audit results. Talk about 
some great bang for no buck with this tool! 



Figure 12-12: 

Running 
the Tiger 
security 
auditing 
tool. 







File Edit View Options TransFer Script Window Help 




~ W i S) ! "SQ &%: a\&Sg ? 




[root@localhost tiger]* /usr /local /bin /tiger 
bash: /usr/local/bin/tiger: No such file or directory 
[f jotiJluL alhu: t tiser ] # /usr /local / = bin /tiger 
Tiger UN*X security checking system 

Developed by Texas A&M University. 1994 
Updated by the Advanced Research Corporation. 1999-2002 
Further updated by Javier Fernandsz-baniuinci. 2001-2003 
Covered by the GNU General Public License (GPL) 




il 


Configuring. . . 






Will try to check using config for 'i566' running Linux 2.4,18-14... 

— CONFIG — lcon005c: Using conFiguration files for Linux 2.4.1B-14. Using 

configuration files for generic Linux 2, 
Tiger security scripts *** undetermined **» 
22:17> Beginning security report for localhost.localdomain, 
22:17> Starting file systems scans in background... 
22:17> Checking password Files... 
22:17> Checking password Format... 
22:17> Checking group files... 
22:17> Checking user accounts... 
22:17> Checking .rhosts files... 
22:17> Checking .netrc Files... 

22:17> Checking ttytab, securetty. and login conFiguration Files... 
22:17> Checking PATH settings... 
22:18> Checking anonymous ftp setup... 
22:1B> Checking mail aliases... 

22;lfl> Checking cron antrlaa... 




Ready sshl: 3DES 


30, 1 28 Rows, 100 Cols VT100 


1 /, 



Part IV: Operating System Hacking 




Figure 12-13: 

Partial 
output of the 
Tiger tool. 




Transfer Script Window Help 

■ Q I "3 % a i e m I ? 



irk configuration 
.nOTbf] 

I configured 



-FAIL— 



er to I CMP broadcasts 
not protected against Syn flooding attacks 
■mits the transmission of IP packets with in 



olid 



ClinOWf] 

addresses 
—FAIL— tlln016f: 

The system permits source routing from incoming packets 
— WARN — CllnOlTi*] 

The system is not configured to log suspicious (martian) packets 

* Verifying system specific password checks,. , 

— WARN — [accOlSwl Login ID root does not have password aging enabled. 



■-inixi 



15 Rows, 100 Cols VT100 



I like to run the Red Hat-focused Linux Security Auditing Tool (LSAT) in addi- 
tion to Tiger. It's similar to Tiger, but it also searches for Red Hat Linux-specific 
security issues. 

You can use to test for the SANS Top 20 (www .sans.org/top20) Vulnerabilities 
is VLAD the Scanner by the Bindview Razor security team. A portion of its 
output is shown in Figure 12-14. 



Figure 12-14: 

Partial 
output of the 
VLAD the 
Scanner 
tool. 



i»jii,'i[iBjiji una 



Transfer Script Whdow Help 



1-lnlxl 



CrootSlocalhost ulad-0.9 .2]» ..-■'..■lad.pl 127.0.0.1 
VLAD the Scanner vO.9.2 

RAZOR Security Team — (c> Bindview Corporation 
http: //razor .bindview .com /tools/vlad/ 



SANS Top Ten securj 

bee hit.tp :.■■'.■' I. j . = aci= .ofi .■' -.opr. en .hti'i for t -.en :iet=i: 

'Lee =.l:-o Doc : . inde:- .hthl for more info 



~3 



banner. This could be anon-BIND DNS i 



#1 - BIND weaknesses i 
Unable to parse versic 
ized BIND 

No problems related to *1 

•7 - Global file sharing and inappropriate information sharing 



) very old version of BIND, c 



Details: 

The portmapper, or rpcbind was found 
could use it to locate additional 



■ firewall the rpcbind port from untrusted systems, 
i -zec-.'.'E repleiceherit. f "o.i ..e_L:e uenei' s . 

Sshl:3DES 31,30 36 ROWS, 103 Cols VT100 



Patching Linux 

Ongoing patching is perhaps the best thing you can do to enhance the secu- 
rity of your Linux systems. Regardless of the Linux distribution you use, 
using a tool to assist in your patching efforts makes your job a lot easier. 



Chapter 12: Linux 



pBocfe 



Distribution updates 



ibution process is different on every distribution of Linux. You can 
bllowing tools, based on your specific distribution. 



Red Hat 

You can use the following tools to update Red Hat Linux systems: 

Red Hat Package Manager (RPM), which is the GUI-based application 
that runs in the Red Hat GUI desktop. It manages those files with a .rpm 
extension that Red Hat and other freeware and open-source developers 
use to package their programs. 

V 0 up2date, a command-line text-based tool that is included in Red Hat. 

AutoRPM (www. autorpm. org). 

V The open-source NRH-up2date (www .nrhup2date.org). 



Debian 

You can use the Debian Package System (dpkg) included with the operating 
system to update Debian Linux systems. 

Stackutare 

You can use the Slackware Package Tool (pkgtool) tool included with the 
operating system to update Slackware Linux systems. 

SuSE/Mo</ett 

SuSE (now owned by Novell) includes the YaST2 Package Manager. 



Muttiptatform update managers 

Commercial tools add nice features over the standard package managers 
(which I describe in this chapter), such as correlating patches with vulnera- 
bilities and automatically deploying appropriate patches. Commercial tools 
that can help with Linux patch management include BigFix Patch Manager 

(www. bi gf i x . com) and SysUpdate (www . securi typrof i ling. com). 



211) P art Operating System Hacking 



DropBooks 



DropBooks 



Chapter 13 

Novell NetWare 



In This Chapter 

Selecting NetWare hacking tools 

Port-scanning a NetWare server 

Gleaning NetWare information without logging in 

Exploiting common vulnerabilities when logged into NetWare 

Minimizing NetWare security risks 



IM s much as some of Novell's competitors like to say that NetWare is a 
w \ thing of the past, it's still alive and kicking quite strongly. There are mil- 
lions of NetWare users around the world. The organizations running NetWare 
and other Novell products demand a solid directory-services infrastructure 
and stable environment. 

NetWare administrators — some of the best around — often overlook or deny 
that NetWare is hackable. This chapter shows you how to test for the most crit- 
ical NetWare exploits and outlines countermeasures to prevent the problems. 



Novell NetWare has a reputation as one of the most secure operating systems 
available. This is one reason that you rarely hear of NetWare servers' getting 
hacked or having new vulnerabilities that crop up constantly However, NetWare 
has its security issues. Various NetWare vulnerabilities can be exploited — 
from NDS (now called eDirectory) enumeration to remote password testing to 
spoofing NetWare packets. Hackers can exploit many of NetWare's vulnerabil- 
ities without even logging into the server! 




NetWare Vulnerabilities 



216 



Part IV: Operating System Hacking 



DropBooks 



NetWare servers are frequently the most vital servers within a network. They 
often perform the following functions: 




ise critical files 

i>* Store replicas of the eDirectory database for hosting, replicating, and 
managing such directory-service objects as user IDs, printers, organiza- 
tional units, and application licenses 

i>* Host e-mail with Novell GroupWise 

*** Host Web sites and Web applications with such programs as Apache and 
Tomcat 

W Serve as firewalls with Novell BorderManager 



Starting with NetWare 7, Novell will release a version of NetWare that's Linux- 
based. So, if you do a lot of work with NetWare, now's the time to start beef- 
ing up on your Linux skills! 



Choosing Toots 




The following are my favorite NetWare-specific tools — they can offer up 
everything you need: 



V SuperScan (www .foundstone .com) for port scanning 

t<" LANGuard Network Security Scanner (www . gf i . com) for port scanning, 
OS enumeration, and vulnerability testing 

NCPQuery (razor. bindview.com/tools/index.shtml) for server 
and eDirectory enumeration 

f Remote (packetstormsecurity.nl/Netware/penetrati on) for 
Remote Console password cracking 

Make sure that you have the latest version of Novell's Client32 software from 
down load. novell .com on your test computer before running these tests. 



Getting Started 

Although NetWare doesn't have many serious security vulnerabilities (rela- 
tively speaking), a few stand out. The hacks in this chapter are against a 
default installation of NetWare 5.1 from inside the firewall. However, these 



Chapter 13: Novell NetWare 2/7 



DropBpdte 

Patches c 




vulnerabilities and tests apply to most versions of NetWare A.x and newer — 
the ones running NDS and eDirectory. I also point out a few critical NetWare 
rabilities. 




Patches on your specific systems may have fixed some of these vulnerabili- 
ties. If you don't get the exact same results as shown in this chapter, you're 
probably safe! 

If you have the latest Novell-supplied patches on your systems, your systems 
are likely to be secure. However, the hacks in this chapter are significant, so 
you should test for them to make sure that your server is safe. 

Older versions of NetWare such as 4.2 and 5.0 are being phased out of sup- 
port. You'll no longer receive security updates for these versions. 



Server access methods 

You can access a NetWare server in the following four ways — each of which 
affects how you can test: 




V Not-logged in: This is a connection where you simply perform port 
scans or make NCP calls across the network without actually logging in. 

i>* Logged in: This connection requires you to log in with a valid bindery or 
eDirectory user ID and password. 

This is the basic method for accessing standard NetWare services. 
Web access: This connection may be available if you're running GroupWise 



WebAccess e-mail services, various NetWare management tools, or other 
basic Web-server applications. 

v 0 Console access: This access method requires you to be either at the 
server console or using a remote-connectivity product (such as NetWare's 
built-in rconsole or even a console that shipped with NetWare 3.x and 
earlier systems). 

When you finish scanning your NetWare systems for open ports and 
general information gathering, you can test for common NetWare security 
vulnerabilities. 



Port scanning 

Start testing your NetWare systems by performing an initial port scan to 
check what hackers can see. You can perform these scans in two main ways: 



Part IV: Operating System Hacking 



Droogpcte 



u 0 If the server has a public IP address, scan from outside the firewall, if 
possible. 



e server doesn't have a public IP address, you can scan internally on 
etwork. 



Hackers can be inside your network, too! 

The SuperScan results in Figure 13-1 show several potentially vulnerable ports 
open on this NetWare server, including FTP and the commonly exploited Echo 
and Character Generator ports. In addition, the NetWare specific port 524 is 
NCP (NetWare Core Protocol). NetWare uses this protocol for its internal com- 
munications with such hosts as clients and other servers — similar to SMB in 
Windows. 



Figure 13-1: 

Using 
SuperScan 
to scan a 
default 
installation 
of NetWare 
5.1. 



Hostname Lookup 



110.11.12207 
Resolved | 



J 



Me | Interfaces | 



Configuration 

Port list setup 



Start|l0.1 1.1 2.207 ;rj 
Stop|l011 12.207 

PrevCl Nextcl 1 .254 I 



Ignore IP zero 
Ignore IP 255 
K~ Extract from file 



Timeout 

Ping 



1 400 
Connect 



1 2000 
Read 



Scan type 

fv Resolve hostname? 
W Only scan responsive pings 
W Show host responses 
C Ping only 
C Every port in list 
C All selected ports in list 
r AN list ports from | | !-,-':■ i i 
P All ports from fl 165535 



- Scan 



10.11.12.207 [ 0 
10.11.12.207 FT 
1011 12.207 0 



Speed 

Max 



- / 10.11.12.207 (Unknown] 
* 7 Echo 
j 9 Discard 
= ■* 19 Character Generator 

■ !"tt$S»TJ"+.-./012345B789:.< 



>?®iBCDEFGHIJKLMNOPQRSTUVW 



21 File Transfer Protocol [Control] 



DD 220 Service Ready for new User . 
427 Seiver Location 
524 NCP 



Active hurt : 
Open ports 

Save 



Expand all 



► j Ptune | 



You may also find that GroupWise is running (TCP port 1677), as well as 
potentially a Web server and other Web-based remote-access ports, such as 
80, 443, 2200, 8008, and 8009. 



You can also perform a scan with LANguard Network Security Scanner. Using 
a commercial tool such as this can often provide more details about the sys- 
tems you're scanning than a basic port scanner. Figure 13-2 shows that it can 
determine more information about the server, such as the NetWare version 
and SNMP information. It also tells you what's listening on the open ports 
without your having to look them up. 



Chapter 13: Novell NetWare 




GFI LAISguard Network Security Scanner v(3.2) 



File Edit View 5can Patches Tools LANguard Tray Help 



P (system) 

Gf sysDesci: Novell NetWare 5.00h December 11. 1 999j|null 
jf sysUpTime: 1 4 minutes, 33 seconds 
3 sysContact : null 
@f sysName ; NW51 
Jf sysLocation : null 

3 Object ID : 1 .3.6.1 .4.1 .23.1 .6.5 (Novell Netware 5.x) 
/4 Vendor : Novell 
jf Time to live (TTL| ; 1 28 (1 28J - Same network segment 
B Address mask: 255.255.255.0 
( TCP Ports [2] 

$ 21 1 Ftp => File Transfer Protocol ] 

0 220 Service Ready lor new User 

• 427 [ SLP => Service Location Protocol ] 

£j UDPPorts(3] 

• 123 [ NTP => Network Time Protocol ] 

• 161 [ SNMP => Simple Network Management Protocol ] 

• 520[routei=> Router routed RIPv.1, RIPv.2 ] 
Alerts (1) 

B Service Alerts (1) 

B--|*J SNMP service is enabled on this host 



NCPQuery 

You can run NCPQuery with command line options to gather information 
about your server and directory tree, including the server information shown 
in Figure 13-3. 



C:\netuare Snc pque ry\n c pqui 
■IcpQuerj) - Netware query i 
Connents/bugs - the gnome Pi 
httpz-Vrasor-bindu ieif .con 



Sub-ui 
1ax Ci 
Conn<: 



SFT 1. 
ITS li 

1C COLLI 
JfiP 

Queue 
Print 



i"j;-l . 3>ncpquery ■ 
)ol. vl.2 
izor.binduiew.coi 



1. 11. 12. 207 



bridge 



44800009 File Server 



NIJ51 
ADMIN 

PL_T BEE 

FLJTREE 

SMS_SMDR_GROUP 

NUS1_BACKUP_QUEUE 

JOHNNYD 

DOCIORX 

NIKKI 

MARV 

I! I 1,1. V 

SANDMAN 

DBUSER 

AUADMI NUSER 

BACKUP 

KBEAUER 



C:\ne t uare \ncpqiiery\ncpqueri;-l .3> 



This is a lot of information for a hacker to see without being logged in! 



220 Part IV: Operating System Hacking 



Countermeasures 



DropBoqto; 



;wing countermeasures can prevent the malicious enumeration of 
are systems: 

■ Installing the latest patches can eliminate many NetWare server 
vulnerabilities. 





If your NetWare version has been or will be phased out by Novell — 
meaning that it no longer provides security patches — you should seri- 
ously consider upgrading to the latest version. 

v 0 Port scanning can be performed with two steps: 

1. Unload any unneeded services, which in turn closes any associ- 
ated ports. 

2. Place the server behind a firewall to help block outsider attacks. 

i>* Blocking NCP port 524 at the firewall is the only way to disable an 
NCPQuery type of attack from outside. 

This may not help much for insider attacks. Internal network communi- 
cations require the NCP port 524 to be available. 

Use strong passwords for all user IDs in case a hacker discovers an ID 
and attempts to log in. 



Authentication 



If a hacker can gather information such as the server, eDirectory, and user ID 
information, he may be able to exploit a known vulnerability or even try to 
log in by using the user IDs that he discovered. When he's in, all bets are off, 
and anything goes. He could 

\S Log into your network as a regular user. 

v 0 Log into your network as admin. 

**" Obtain physical access to the server console. 



It's wise to assume that a hacker could log in as a user or administrator on 
your NetWare system and test for the worst-case scenario. 



Chapter 13: Novell NetWare 22 1 



Rconsole 



DropBocfe 



e most serious NetWare security vulnerabilities is the NetWare 
onsole program (referred to as rconsole). Rconsole is an SPX 
protocol-based remote-control program similar to telnet and Windows 
Terminal Services. It gives users full access to the NetWare console if they 
know the password, rconsole consists of the following: 

The remote . nl m and rspx . nl m files on the server 

The rconsol e . exe client program in the sys : \publ i c directory 

i>* For rconsole to work, you must load the rspx NLM with one of these 
methods: 

•Enter load rspx at the console. 

• Place it in your a utoexec . ncf or 1 dremote . ncf file just below 
your load remote line. 



Attacks 

Rconsole is vulnerable because its passwords can be easily obtained. The 
passwords are stored in either clear text or an easily crackable hash format 
on the server in the sys : \system\autoexec . ncf file or sys : \system\ 
1 dremote .ncf files. 



If you encrypt your rconsole passwords, cracking them is simple. The follow- 
ing steps demonstrate how vulnerable the rconsole password really is: 

1. Enter load remote to load the remote NetWare Loadable Module 
(NLM) on the server. 

2. Enter the password you want to use when prompted. 

3. Enter remote encrypt and enter your rconsole password again when 
prompted. 

The server generates the encrypted password and displays the entire 
command you need to run on the screen, including the hashed pass- 
word. It looks similar to the response in Figure 13-4. 

The server may also enter the command into the Idremote.ncf file, 
but it sometimes fails. For simplicity, just enter the 1 oad remote -E 
password command manually into your autoexec, ncf file. Don't write 
this password down somewhere that's easily accessible to others. 



222 Part IV: Operating System Hacking 



NW51 - System Console 




Figure 13-4: 

Encrypting 
your 
rconsole 
password. 



n * • i a - m i <a q ? 



J | ► System Console 



lemote 
togHOdule remote, nlh 

^mote console 
vers-iorT5.il August 25, 1999 

copyright 1999 Novell, Inc. All rights reserved. 



Enter a password for Remote console 

> 

Remote console successfully loaded 
NW51: 

NW51:remote encrypt 



Enter a password to encrypt 

use this password use the command: 

Load REMOTE -E 287502221D2EBB4BCDD44BDC68 

would you like this command written to sys:system\ldremote. ncf? (y/n) 
NW51: 



Now it's time to try cracking the encrypted rconsole password. For this, I use 
the remote cracking program — not to be confused with the remote NLM 
that's part of rconsole. 

Simply run the remote.exe cracking program against the rconsole password 
hash that's displayed on the screen (or stored in the server's autoexe.ncf 
or 1 d remote .ncf file). Enter a line like the following at a command prompt: 

remote password_hash 
The result is the rconsole password. 

You can try the preceding steps against my password. Figure 13-4 shows the 
hash: 

287502221D2EBB4BCDD44BDC68 

Anyone using the following three items can even capture the encrypted rcon- 
sole password traveling across the wire and decrypt it: 

V Network analyzer 

V Rcon program (packetstormsecurity.nl/Netware/penetration/ 
rcon . zi p) 

is* The steps outlined in the rconf aq . txt file at packetstormsecuri ty . 
nl/Netware/audit/rconfaq.zip 



Chapter 13: Novell NetWare 




The remote NLM stores its password in server memory. Anyone with console 
access can go into the NetWare debugger by pressing Shift+Alt+Shift+Esc 
use both Shift keys) on the server keyboard and view it in clear 
(process is explained at packetstormsecuri ty.nl /Netware/ 
audi t/rconf aq . zi p. 



access cai 



Countermeasures 

The following can prevent attacks against NetWare servers running rconsole: 



Don't use rconsole — at least, don't use it on critical NetWare servers. 
(Does anyone have a server that isn't critical?) 

i>* If you must use rconsole, secure it with one of the following steps for 
your version of NetWare: 

• In NetWare 4.x or earlier, lock your server by using the monitor 
NLM. 

• With NetWare 5 and newer, load the scrsaver NLM. It displays the 
fancy text-based NetWare snake and requires a valid NetWare 
account to unlock. 

V Consider using one of these remote NetWare management programs 
instead of rconsole: 

• Rconj is a Java-based version of rconsole that's able to work over 
using TCP. It comes with NetWare 5.x and later but has limited 
functionality. 

Be sure to patch Rconj if you run it on NetWare 6. Rconj has a known 
authentication vulnerability when running on NetWare 6 that allows a 
hacker to gain access without a password. 

• AdRem Software (www . adremsof t . com) offers a couple of great 
rconsole replacements that I highly recommend you check out. 

• AdRem Free Remote Console runs on NetWare 4.x SP9 and later 
servers. 

As the name implies, it's free! 

AdRem Free Remote Console doesn't encrypt remote-console com- 
munications, but it does require a valid NetWare login with a user 
ID that has console operator privilege (such as admin or equiva- 
lent). This adds a level of security that plain old rconsole just can't 
offer. 

• AdRem sfConsole is a commercial product with a ton of features, 
including encrypted communications and a Web-based interface. 



Part IV: Operating System Hacking 



SerVer-console access 



pBocfe 



access to the server console is a hacker's pot of gold. After hackers 
is access, they can do practically anything they want to with the 
server. This includes accessing the NetWare debugger to retrieve passwords 
and potentially other confidential information stored in memory — not to 
mention crash the server and more. 



The following countermeasures help ensure that NetWare console access is 
minimized to only those who are authorized: 

V Physical security is a must. Chapter 6 explains how to secure server 
rooms. 

Lock the server screen. You can keep the server console secure by either 
selecting the Lock Server Console option in the monitor NLM or loading 
the scrsaver NLM. 



Intruder detection 

Intruder detection is one of the most critical security features built into 
NetWare. It locks a user account for a specific period of time after a certain 
number of failed login attempts. 




Make sure that intruder detection is enabled on your system. It's disabled by 
default. 



Testing 

Default settings for intruder detection — after it's enabled — in NetWare 5.1 
are shown in Figure 13-5. Chapter 7 details intruder detection. 

Try logging in with invalid passwords for several test users — preferably, 
users from different organizational units (OUs) within eDirectory — to see 
whether intruder detection is working. Make sure that you type bad pass- 
words; blank ones don't seem to work well for this test. Here's how you know 
whether intruder detection is working: 

I v 0 If intruder detection is on, you should get a response similar to 
Figure 13-6. 

If intruder detection is off, you get prompted over and over again for a 
password. 




This is how hackers test whether intrusion detection is enabled on your 
NetWare server. 



Chapter 13: Novell NetWare 



225 



DropBoote 



Figure 13-5: 

Intruder- 
detection 
settings in 
NetWare 
5.1. 



Intruder Detection 



(ejection limits 
Wogin attempts: f? 
Intruder attempt reset interval: 
Days: [5"" 
Hours: fo" 
Minutes: [30~ 



P'ljOckacoojurt sfta fetecfai 
Intfuder lockout leset interval 

Days: [o 
Hours: [u~~ 
Minutes: |15 



Page Options.. 



Rights to Files and 
Directories 



Login Script 



Intruder Detection 



Security Equal To Me 



Print Job Configuration 
(NonNDPS) 



Printei Forms (Non NDPSl 



Print Devices [NonNDPS] 



Figure 13-6: 

A Novell 
Client32 
message. 



NetWare Security Message 


f 


a 


/■\ Login denied. Someone has attempted to access your account by guessing password 
* | Account disabled to deny possible intruder attack. See your system administrator. 

°K 1 


/akJBi 





Countermeasures 

You can implement the following countermeasures to ensure that unautho- 
rized logins are minimized and intruder detection is not abused: 




i>* Enable intruder detection as high in the directory tree as possible — 
preferably, at the uppermost organization level. 

This is one of the best hacking countermeasures you can implement in a 
NetWare environment. 

Look for evidence that the console NLM was unloaded by searching for 
entries in the sys : \etc\consol e . 1 og file. 

i>* Consider logging all events to a remote syslog server to help prevent a 
hacker from tampering with evidence. 



Rogue NLMs 

If a hacker gains console access to your server, a legitimate yet potentially 
dangerous NLM can be loaded, which can do bad things to the system. 



226 



Part IV: Operating System Hacking 



Testing 

following tests look for rogue NLMs running on your server. 



■-■X 1-^ The follo\ 

DropBoqEg 



ommand 

You can use the modules command at the server console prompt to view 
loaded modules. As shown in Figure 13-7, you simply enter the command 
modules at the server-console screen, and it displays a listing of NLMs that 
are loaded — from first to last in order of loading. 



NW51 - System Console 



Figure 13-7: 

Viewing 
loaded 
applications 
on a 
NetWare 
server. 



NW51 



J ^1 ] ► System Console 



-am 



NW5i:mocJu1es 

XENGNUL. NLM (Address Space = OS) 

NICI NULL xemg from Novell, Inc. 
version 1.02 October 1, 1999 

Copyright 1995-1999 Novell, inc. All rights reserved. Patent pending. 
IDBE.NLM (Address Space = OS) 

Loaded from internal nlm list [c:\nwserver\] 
Netware configuration db Engine 
version 5.10 September 27, 1999 

Copyright 1998-1999 Novell, Inc. All rights reserved. 
jwkcfg.nlm (Address Space = OS) 

Loaded from internal nlm list [c:\nwserver\] 
Netware Kernel config nlm 
Version 2.05 December 7, 1999 

copyright 1996-1999 Novell, inc. All rights reserved. 
pver500. NLM (Address Space = OS) 
Loaded from [c:\nwserver\1 
Netware 5.00 version Library 
Version 2.10 November 4, 1999 

Copyright 1996-1999 Novell, inc. All rights reserved. 
Press ESC to terminate or any other key to continue>_ 



Look for these NLMs in the modules output. If neither you nor another admin- 
istrator has loaded the following NLMs, you have a problem: 

u* Password reset tools: 

• setpwd 

This third-party NLM can reset any user's password on the server — 
including admin! It's located at ftp . ceri as . purdue . edu/pub/ 
tools/novel! /setpwd .zip. 

• setspwd 

This program resets the supervisor/admin password for NetWare 
3.x and 4.x. 

• setspass 

This program resets the supervisor password for NetWare 3.x 
systems. 



Chapter 13: Novell NetWare 22 7 



I dsrepair: This built-in NLM can corrupt or destroy eDirectory. It's actu- 
ally intended to repair and maintain the eDirectory database. 

asic: This built-in NLM can copy eDirectory files from the hidden 
\_netwa re directory It accesses a DOS-like prompt on the server. 

Check whether the nwconfig NLM is loaded. This built-in NLM is often used 
for day-to-day server maintenance, such as installing patches and editing 
system files. However, a hacker can load it and back up or restore the 
eDirectory database so that its files can be copied for malicious purposes. 
You can look to see if the NLM is loaded by either 

v 0 Looking at the modules output 

V* Pressing Ctrl+Esc to view all loaded applications 

*** Pressing Alt+Esc to toggle through all loaded applications 



DropBook-g 




Many NLMs can load on a NetWare server — especially in the more recent 
versions. If you have a question about what an NLM does or want to see 
whether it's valid, you can search on the filename at www . googl e . com or at 
support . novel 1 .com to get more information. 

A port scan of the server from another computer can find rogue applications 
as well. 



Tcpcon 

The tcpcon NLM shows ports that are listening and connected. Follow these 
steps to use it: 

1 . Enter load tcpcon at the server prompt. 

2. Select Protocol Information from the main menu. 

3. Select TCP and then TCP Connections to view the TCP ports that are 
open. 

4. Select UDP and then UDP Listeners to view the UDP ports that are 
open. 

Figure 13-8 shows the TCP ports that are open and listening on this 
server, including chargen, FTP, and NCP. 

If something doesn't look right, it may not be, so investigate the port number 
further. My favorite port number reference is at www . i ana . org/assi gnments/ 
port-numbers, but a simple Google search usually is productive. 



Part IV: Operating System Hacking 



r 



NW51 -TCPIP Console 



DropBook 



Figure 13-8: 

Using 
tcpcon to 
show open 
TCP ports 
on a 
NetWare 
server. 



~3 ¥ ' | 5 * ID I Q Q ? || Q)\ > TCPIPConsola 



Hffl 



Host: Local System 
Uptime: 0 Days 11 Hours 39 Minutes 58 seconds 
system: Novell Netware 5.00h December 11, 1999 



IP Received: 12, 844 



TCP Received: 



TCP Protocol information 



TCP Connections Table 




e Local 














HOSt 


Port 


Remote Host 


Port 


State 


ip 


0. 0. 0. 


0 




0. 0. 0. 0 


None 


1 i sten 


IP 


0.0.0. 


0 


389 


0.0.0.0 


None 


li sten 


IP 


0.0.0. 


0 


427 


0.0.0.0 


None 


li sten 


IP 


0.0.0. 


0 


524 


0.0.0.0 


None 


li sten 


IP 


0. 0.0. 


0 


636 


0. 0. 0. 0 


None 


li sten 



Admin utilities 

If hackers can successfully log in to a NetWare server or eDirectory, they can 
use, in malicious ways, some of the great — and free — NetWare admin utili- 
ties from JRB Software (www . j rbsof tware . com). For example, hackers can 

If* Run the downsrvr program to reboot a NetWare server — most likely at 
the worst possible time. 
V Use the serv_cmd program to disable logins, remotely load NLMs, and 
add bindery contexts to the system. 

Countermeasures 

The following countermeasures can minimize the chances that malicious 
NLMs will be running on your servers. 

Documentation 

The best way to keep track of loaded NLMs is to document, document, and 
document your server. It's critical to know what's supposed to be loaded on 
your server at all times. 

f" For each loaded NLM, you need to know its name, version, and date. 




Keeping up-to-date records can get tedious, especially with a large 
number of servers. Consider purchasing a commercial product — 
NetServerMon or AdRem Server Manager — to help you manage this 
task. 



Chapter 13: Novell NetWare 



V Save and print recent versions of your sta rtup . ncf and autoexec . ncf 
files. 



DropBocte 



ment — at least, at a high level — your eDirectory structure. You 
either 





• Take a screen capture of eDirectory as it looks in NetWare 
Administrator or ConsoleOne. 

• Run cx It /a / r, and save the output of the program to a text file 
by entering the following at a command prompt: 

cx It /a It > filename.txt 

Update your documentation after any system changes are made or any new 
patches are applied. 

Unauthorized logins 

To prevent rogue NLMs or remote applications from being loaded or run from 
a workstation, apply these security measures to your NetWare systems: 

i>* Make strong passwords on every NetWare account. I outline minimum 
password requirements in Chapter 7. 

V Secure the server console. 



W Enable intruder detection. 

i>* Neutralize dangerous NLMs, such as netbasic. You can either rename 
them or remove them. 

If you remove dangerous NLMs, make a backup of the files first. You may 
need them in the future. 



Clear-text packets 



Most internal LAN traffic — regardless of the operating system in use — trav- 
els across the wire in clear text. The clear text can be captured and used 
against you. 



Packet capture 

Clear-text packets can be captured with either 

A network analyzer 

I Components of the Pandora NetWare hacking suite (www . nmrc .org/ 
project/pandora) 



Part IV: Operating System Hacking 



iency 

oBocte 

manii 



Pandora can spoof NCP packets, which can give them admin equiva- 
lency on the network after the hacker logs in via a standard user 
unt that he previously compromised. A hacker could log in as a 
al user with a weak or blank password and then use Pandora to 
manipulate NetWare traffic and get admin rights on the network. 



4$ 



4^ 



Countermeasures 

You can easily set up NCP packet signing within a NetWare environment. This 
encrypts and provides proof that a packet actually originated from the send- 
ing host. NCP packet signing has four levels, but the level for the utmost 
security is level 3, which requires packet signatures. 

This can slow network traffic and place a larger processing burden on your 
server. Level-3 packet signing can decrease network performance on busy 
NetWare servers — sometimes, by more than 50 percent. 

The following steps explain how to enable level-3 packet signing: 



Enable level-3 packet signing on the server and at the top of the 
autoexec . ncf file with the following command: 

set ncp packet signature option=3 

i>* Enable level-3 packet signing on NetWare clients with these steps: 

1 . Right-click your red Novell icon in your Windows system tray. 

2. Select Novell Client Properties and Advanced Settings. 

3. Set the Signature Level to 3 (Required). 



In NetWare 3.x and earlier, passwords are sent in clear text across the net- 
work. For these versions, you can enter the following command on your 
server and in the autoexec, ncf file to help prevent passwords from being 
captured with a network analyzer: 



set allow unencrypted passwords=of f 



General Best Practices for Minimizing 
NetWare Security Risks 

Although you can't completely defend NetWare servers against attacks, you 
can come close, which is more than you can say for other leading operating 
systems. These NetWare hacking countermeasures can help improve security 
on your NetWare server above and beyond what I've already recommended. 



Chapter 13: Novell NetWare 



Rename admin 



•pBocte 



he admin account. Figure 13-9 shows how this can be done in the 
bnsoleOne utility. 



Figure 13-9: 

Renaming 
the 
NetWare 
admin 
account 
with 
ConsoleOne. 



H Novell ConsoleOne 



ATI EflH View Tools Help 
New 

Delete nds Object 
Move- 
Rename ... 

Trustees orthls Object. 

■ lies DfMultfple Objects. 
Properties^ 



u 



3 Z CMDR Pro up 



i^LDAP Group- NW51 



avadminuser 

backup 

billy 

dbuser 

doctorx 

johnnyd 

kbeaver 

mary 

nikki 

sandman 

NW51 Backup Queue 

NW51_8YS 

NW51 

Novell 'NetWare 5 Con... 
Novel I 'NetWare 5 Serv... 
NLS_LSP_NW51 
AFO0_NW51_SYS 
SAS Service -NW51 
SSLCertitltateDNS-N... 
SSLCertificatelP- NW51 
LDAP Server- NW51 



25 items I) 



iUser: admin 



[Tree: PL_TREE 




Be careful. Other applications, such as the server backup software, may 
depend on this ID. 



If you rename admin, be sure to edit any backup jobs or startup scripts that 
depend on the admin account. It's actually best to not use the admin account 
for these purposes anyway, so this may be a good time to make a change by 
creating an admin equivalent for each application that's dependent on an 
admin ID. This can help make your system more secure by reducing the 
number of places that the admin account is exposed and vulnerable to crack- 
ing on the network. 



Disable ebirectory brotisinq 

A good way to ward off attacks is to disable Public's right to browse the 
directory tree in either NetWare Administrator for NetWare 4.x or Novell 
ConsoleOne for NetWare 5.x and later. This right is enabled by default to 
enable users to browse the eDirectory tree easily. 



Part IV: Operating System Hacking 



^jttNG/ Disabling the Public Browse right or any other eDirectory or file rights can 
J ^j\ cause problems, such as locking users (including you) out of the network, 
^ I^^^V /"^l^ljPS login scripts, and disabling printing. The potential risk depends on 
y V^V/ \j|lcf\/^j^configure eDirectory. If you remove Public's Browse right, you can 
usually grant specific object rights lower in the tree where they're needed 
to keep everything working. Make sure that you test these types of critical 
changes before applying them to your production environment. 

NetWare Administrator 

Follow these steps to disable the Public browse right to eDirectory with 
NetWare Administrator (sys : \publ i c\wi n32\nwadmn32 . exe): 

1. Right-click the Root object in your directory tree. 

2. Select Trustees of this Object. 

3. Select the [Public] trustee, as shown in Figure 13-10. 

4. Uncheck the Browse object right. 



Figure 13-10: 

The default 
Browse 
right for 
[Public], 
shown in 
NetWare 
Admin- 
istrator. 



m 



A -admh.PL 
[Root] 



Obiect tights 
I - Supervisor 
F Browse 

r Delete 
V Rename 
F Inheritable 

Clear | 



Inherited Rights Filter 



All properties 
f~ Selected properties: 

Account Balance 
Account Disabled 
Aim our 'J H i: Cpraiio 



F Supervisor 
F Compare 
FRead 
F Write 
F Add Serf 
r Inheritable 



Cancel | 



Novell ConsoleOne 

Follow these steps to disable the Public browse right to eDirectory with 
Novell ConsoleOne (sys : \publ i c\mgmt\Consol e0ne\l . 2\bi n\ 
Consol eOne . exe): 

1. Right-click your tree object. 

2. Select Trustees of this Object. 



Chapter 13: Novell NetWare 



ipBooks 



3. Select the [Public] trustee and then click Assigned Rights. 
Uncheck the Browse right, as shown in Figure 13-11. 



Figure 13-11: 

The default 
Browse 
right for 
[Public], 
shown in 
ConsoleOne. 



File Edit 



KDS Rights 

®MyW0tld Trustees of this Object j 
B ^ The N — 

♦ PL The following are a;[3 



admin PL 



-lnl»l 



V Supervisor 
R Browse 
r Create 
P Rename 
r Delete 

W inheritable 



Cancel Help 



| Cancel | -wi: | Help | 




Removing bindery contexts 

Remove any bindery contexts loaded on your server. Bindery contexts are in 
place in NetWare 4.x and later to provide backward compatibility with older 
clients that need to access the servers as though they're NetWare 3.x or earlier 
servers. This is typically due to either older applications or NetWare clients 
(such as netx and VLMs) that make bindery calls instead of eDirectory calls. 

Removing bindery contexts can help prevent hacker attacks against bindery 
weaknesses. To disable the bindery context on your server, simply remark 
out the set Bindery Context line in your server's autoexec, ncf file. 

If you remove your bindery contexts, make sure that no clients or applications 
depend on NetWare bindery emulation. 



System auditing 



Turn on system auditing by running the auditcon program at a command 
prompt. This can help you track down a future intruder by auditing files, vol- 
umes, and even the directory tree. It's just good security practice as well. You 



Part IV: Operating System Hacking 



dBoc* 



can get specific instructions on using auditcon for system auditing purposes 
in the Novell Technical Information Document How to setup Auditing on your 

tsupport.novell.com/cgi-bin/search/searchtid. eg Ml 
. htm. 



TCP/IP parameters 

In NetWare 5.x and above, based on your specific version, you can prevent 
several types of DoS attacks as shown below by entering the following TCP/IP 
parameters at the server console: 



set discard oversized ping packets=on 

set discard oversized UDP packets=on 

set filter subnet broadcast packets=on 

set filter packets with IP header options=on 

set ipx netbios replication option=0 

set tcp defend land attacks=on 

set tcp defend syn attacks=on 




You can enter the preceding commands into the server's autoexec, ncf file 
so that they load each time the server starts. 



Patching 

Patch, patch, and patch again! Novell lists the latest patches for the NetWare 
versions it supports on its Web site: 

support. novel l.com/produpdate/patchli st. html#nw 



PartV 

DropBooks Application 

Hacking 



The 5 th Wave Bv Rich Tennant 




" Someone want -to look at this -manuscript 
I received on email called The Moeddfid 
Virus That Destroyed -tYie TubltsWevfe SevVevs 
Vlhen tVie "Manuscript VJas "R^ecied'?" 



DropBooks 



In this part . . . 



mM/^A, this book has covered everything from non- 
▼ ▼ technical hacks to network hacks to operating 

system hacks. One major category is left to cover: the 

applications that run on top of all of this. 

This part first covers malware (you know, those darn 
viruses, worms, and so on) and malware prevention tools, 
along with some various countermeasures. Although mal- 
ware is not particularly an application ethical hackers use 
(at least try not to use), it still affects everything else done 
on networks from a security perspective, including mes- 
saging systems and Web applications, which are also in 
this part. This part then takes a look at various messaging 
hacks and countermeasures affecting e-mail and instant 
messaging systems. Finally, this part takes a look at 
common Web application hacks, along with some counter- 
measures to secure them from the elements. 



Chapter 14 

DropBooks ~ 

Malware 



In This Chapter 

Distributing malware 
Testing your systems 
Preventing malware 



alicious software (malware) has long been one of the biggest problems 
computer users face. Viruses and worms have proved to be the biggest 
nuisances, but these types of malware are ineffective if adequate controls are in 
place. On the other hand, such types of malware as Trojan horses and rootkits 
can inflict serious harm against computers and information, and are much 
harder to defend against. 

The implications of testing your own systems with malware attacks — as 
hackers would do — are similar to some of the social-engineering and physi- 
cal-security attacks I cover elsewhere in the book. Introducing known mal- 
ware into your production systems is just not a good idea, considering that 
your business is at stake. In this chapter, although I cover some benign tests 
you can run against your systems, I focus on how malware gets onto your 
systems, how to find and remove it after an infection is found, and what 
proven countermeasures you can take to increase the odds that malware 
stays out of your systems. 



Implications of Malware Attacks 

Malware is one of the greatest threats to the security of your information. Not 
only do you have to deal with the well-known malware — the ILoveYous and 
Code Reds of the world — infecting your computers, but also, hackers are 
constantly developing new ways to wreak havoc on systems. It seems that 
every month, widespread malware attacks take place around the globe. The 
more recent attacks are mostly self-propagating — which means that they need 
no user intervention to spread across computer networks and the Internet. 
These programs attack unpatched software and gullible users opening mali- 
cious e-mail attachments 




Part V: Application Hacking 




study in malware with Ed Skoudis 



Tntrns ca?e stuayrtd Skoudis, an information- 
security consultant for International Network 
Services, shared an experience he had related 
to malware. Here's his account of what 
happened. 

The situation 

Mr. Skoudis and his penetration-testing team 
were hired by a large financial institution to 
determine whether they could break into the 
bank's updated Internetgateway infrastructure. 
This penetration test focused on the new ele- 
ments of their infrastructure, including several 
VPN gateways, firewalls, routers, and a handful 
of servers. The goal of the test was to search for 
vulnerabilities and see how deep into the target 
production network the team could penetrate. 

The Web server was where things started to get 
interesting for Mr. Skoudis and his team. During 
the test in mid-2003, while scanning all of the 
target systems for vulnerabilities with the free 
Nessus tool, the team discovered that the Web 
server was vulnerable to the WebDAV buffer- 
overflow exploit. This flaw was originally 
announced by Microsoft in March 2003, but no 
one had patched the server for 60 days. 

The outcome 

Mr. Skoudis and his team were able to execute 
commands on the machine by tickling WebDAV 
and installed the Netcattool to create a back- 
door. Then they scheduled the Netcat backdoor 
to restart every 10 minutes, to make sure they 
could re-enter the system continually if they 
were ever knocked off. Mr. Skoudis emphasized 
that penetration testers need to be extremely 
careful in choosing the type of malware they uti- 
lize in their testing regimen. As a side note, he 
stated that he installs only application-level 
backdoors that are well understood, like Netcat. 
In addition, he stressed that penetration testers 



should not install rootkits or introduce self- 
replicating code, such as viruses and worms, 
because they can make a production machine 
extremely unstable. 

With the Netcat backdoor firmly lodged on the 
target system, the team set up shop on the 
victim Windows Web server. They installed their 
scanning tools on this machine, including the 
Nmap port scanner. Using the conquered Web 
server as a jump-off point to scan further into 
the network, the team found another vulnerable 
system. This time, they discovered a poorly con- 
figured Solaris machine on the internal network 
that allowed SSH access with an easily 
guessed password. After he and his team com- 
promised the Solaris server, they installed 
another Netcat backdoor on that system. 

With two relatively common flaws — an 
unpatched Windows Web server and an easily 
guessed password — Mr. Skoudis and his team 
managed to gain deep access into the target 
network. He emphasized the possibility of this 
type of attack by a not-so-ethical hacker, along 
with the widespread availability of the malware 
needed to carry it out, and underscored the 
importance of having a solid security program. 
This includes keeping systems patched and 
educating users and administrators in selecting 
difficult-to-guess passwords. 

Ed Skoudis uses his exceptional technical 
expertise to perform security assessments, 
design secure network architectures, and 
respond to computer attacks for his customers. 
He is a well-known speaker on issues associ- 
ated with hacker tools and defenses, and has 
authored the excellent Prentice Hall books 
Malware: Fighting Malicious Code and Counter 
Hack: A Step-by-Step Guide to Computer 
Attacks and Effective Defenses. 



vuinei 

ipBo* 

it a nr 



Chapter 14: Malware 



Most malware attacks — especially the recent ones — exploit well-known 
vulnerabilities that should've been fixed months before the attacks occur. 

ately, the general practice within IT and security is to install patches 
pple get around to it. This is mostly because people either don't make 
it a priority to patch or simply can't keep up with all the patches required 
across all their systems. The hackers know this and take full advantage of it. 



The widespread malware attacks that you hear about on the news aren't the 
ones to worry about. Trojan horses, rootkits, spyware, and other devious 
programs are the scary ones. These applications can do the following: 

V List running processes and applications 
Load and kill running processes and applications 
Capture keystrokes 
Search and copy files 

u* Steal passwords 

V Edit system files 

f Turn on Web cams and microphones 

Remotely reboot computers 
f Perform practically any administrative function 

Bad things can happen if any of these events occurs on your network, includ- 
ing confidential information being stolen, computers being taken offline, and 
data being deleted. 



Types of MaluJare 

Most malware is platform-specific: It targets specific operating systems, appli- 
cations, and vulnerabilities to spread more quickly. 



Trojan horses 

Trojan horses — named after the infamous Greek wooden horse used to pen- 
etrate the city of Troy — are executable files, often transmitted via e-mail, 
that masquerade as legitimate programs but actually perform malicious acts. 



Part V: Application Hacking 



:>Botfl*S 

Many Trc 



Trojan-horse code works in the background — doing things like deleting infor- 
mation, gathering passwords, and capturing keystrokes — while a legitimate- 
rogram, such as a screen saver or game, runs in the foreground. 



Many Trojans — called remote-access Trojans, or RATs — set up backdoors on 
the systems they infect, allowing hackers to access them remotely and con- 
trol them from across the Internet. Many Trojans aren't detected by antivirus 
programs. With all things being equal (and antivirus software running), this is 
the malware you should be afraid of. Some common RATs are NetBus, 
SubSeven, and Back Orifice. 



Viruses 

Computer viruses are the best-known malware category. Viruses are pro- 
grams that are often self-replicating — meaning that they can make copies of 
themselves — and attach to executable files, deleting information and crash- 
ing computers whenever a user or other process runs the program. Even PDA 
viruses exist, some of which drain batteries and call 911 for you — how 
thoughtful! 



Worms 

Worms are self-propagating programs that travel around the Internet at light- 
ning speed. They load up in memory, effectively exploit known software vul- 
nerabilities, and often end up crashing the systems. 



Rootkits 

Rootkits are nasty applications that hackers can use to control a computer 
completely, with the ultimate prize of crashing the system or stealing informa- 
tion. Rootkits are mostly found on UNIX systems but are becoming popular 
on the Windows platform. Rootkits are sets of programs that either 

I v 0 Masquerade as typical administrator command-line programs 
I Integrate into the kernel, or core, of the operating system 

Kernel-based rootkits, such as Knark for Linux and the FU rootkit for Windows, 
tie into the actual operating system. With these programs, hackers can 



Chapter 14: Malware 



DropBocte 



Hide system processes and applications from the Windows Task Manager 
or the process list in UNIX 





ge the group membership of processes and applications so that a 
cious program can run as the system, administrator, or root account 

Modify environment variables 

Make programs look like they were run by another user, concealing the 
hacker's identity in audit logs 



SpyuJare 



Spyware programs spy on you and sometimes even capture and transmit 
confidential information from your computer. They're installed as cookies, 
Windows Registry entries, and even executables on the local computer. 

"Legitimate" spyware that may be installed by an administrator or other 
person to watch someone's computer usage includes SpectorSoft's eBlaster 
and Spector Pro, and TrueActive (formerly known as Win What Where). 

These programs are extremely powerful and capture video screen shots, turn 
on the local microphone, track Web browsing, and even forward copies of 
e-mails sent and received to a third-party address. Powerful and scary! 

Adware is similar to spyware but a little less intrusive. It tracks Internet usage 
and pulls targeted ads to specific users, based on their habits. 



Built-in programming interfaces 

Programming interfaces built into operating systems can be used maliciously: 

V Java applets are programs written in the Sun Microsystems programming 
language. Although these programs run in a sandbox — or safe area — to 
ensure that the local system is not compromised by malicious code, they 
can still cause security problems. 

Microsoft .NET applications are programs written based on the new 
application framework from Microsoft. Like Java applets, these pro- 
grams have their own playpen that helps ensure that malicious code is 
not executed. 

ActiveX controls are Microsoft-based programs that everyone loves to 
hate. ActiveX controls can be executed with minimal effort in such appli- 
cations as Internet Explorer, Outlook, and other Microsoft programs. 



Part V: Application Hacking 



pBooka 



Their control over a computer can potentially cause serious harm to a 
computer system and its stored information. 



cripts are scaled-down versions of Microsoft's Visual Basic program- 
language. Similar to ActiveX controls, these scripts can wreak 
havoc on local data. 



Many of the common malware programs traversing the Internet today 
are VBScripts. 

Windows Script Host (WSH) is a script processor built into Windows — 
similar to DOS batch files — that can be used to perform malicious acts. 

V JavaScript programs, which are similar to ActiveX and VBScripts, are 
written in Netscape's scripting language. They can cause computers 
harm if users willingly run them within Web browsers and e-mails. 

Not all applications written in these programming interfaces are malicious. 
Many legitimate programs are used every day that run just fine and don't do 
any harm. 



Logic bombs 

A logic bomb is a program — often, an automated script using regular network 
administration tools — that is scheduled to run when it's triggered by a certain 
event, such as someone's logging in, or run on a specific date or time, such as 
two weeks after an employee is let go. 

Logic bombs are a common way for disgruntled employees to seek revenge 
on their former employers. Some logic bombs have destroyed entire data- 
bases of information, including the famous logic bomb planted by Tim Lloyd 
at Omega Engineering a few years back. This program erased all the informa- 
tion from the company's NetWare server, putting a stop to its manufacturing 
processes. This event resulted in $10 million in damages to the company, and 
ultimately, 80 employees got laid off. 



Security toots 

Your own security tools can be used against you. This includes the following 
tools: 

I W Vulnerability scanners, such as Nessus and even the tried-and-true 
Netcat tool, can place backdoors in your systems. 

I *<" Network analyzers, including the ARP poisoning tools ettercap and 
dsniff. 



Chapter 14: Malware 



DOS debug program that still ships with Windows. 
NetWare debugger backdoor. 

access the backdoor by pressing Shift+Alt+Shift+Esc all at the same 
i (using both Shift keys) at the server console. 



Hou) Matu/are Propagates 

Some time back — practically forever, in computer time — most malware 
propagated via floppy disks. In 1981, the first computer virus was released: 
the Apple II Elk Cloner virus. In 1986, the first virus that affected the 
Microsoft/Intel platform — the Brain virus — was released. Both of these 
viruses were floppy-disk-based, but neither packed the punch that many 
viruses have come to inflict on their victims since that time. 

Some of the first malware exploited vulnerabilities in computer hardware and 
software architectures — like what happens today. These old-fashioned viruses 
spread very slowly by today's standards. It could take months and sometimes 
years for a few thousand systems to be infected. What's different about today's 
malware? It's the method of propagation. The Internet allows malware to 
spread around the world quickly. Malware can affect hundreds of thousands 
of systems within a few weeks, as happened with the Code Red and Nimda 
worms, or within a few minutes, as we saw with the Slammer/Sapphire worm. 
Hackers from anywhere in the world can try penetrating your systems — at 
their convenience. 



Automation 

Automated attacks are the wave of the future for malware. The Internet is not 
going away. In fact, more systems are going online — more users, more hack- 
ers, and a greater number of applications are emerging that can be affected. 
This includes Web services; peer-to-peer (P2P) software, such as instant mes- 
saging (IM); and other file-sharing technologies, such as Gnutella, Kazaa, 
Morpheus, and mobile-device applications that run on PDAs and cell phones. 



E-mail 

The most common malware attack channel is through e-mail. A hacker simply 
attaches a virus or Trojan horse to an e-mail — often, through an automated 
mechanism — and sends the message to unsuspecting users. This process is 




Part V: Application Hacking 



text 01 tn 

pBodte 

files and < 



automated with self-propagating worms making an attack even easier. The 
text of the e-mail says, "See the attached note" or "Check out this game." 

lible users open the attachment, thinking it's something that will 
up their day. Instead, it's malware looking to copy or delete local 
files and often glean e-mail addresses from the user's address book to send 
itself on to other users. If antivirus software is missing, outdated, or disabled 
at the time, this can spell bad news for the computer or network. 



Hacker backdoors 

Malware is propagated on computer systems by hackers compromising a 
host from across the network or Internet, obtaining administrator or root 
access by exploiting a known vulnerability and then installing the malware to 
their heart's content. They can set up backdoors, giving them remote access 
so they can come back and play in the future. 




Many of these infections go unnoticed indefinitely, usually until the network 
administrator suspects that something strange is going on, or the system 
crashes, or information gets stolen or erased. 



Testing 

You can carry out various tests to check for malware infections on your net- 
work, as described in the following sections. 



Vulnerable matutare ports 

You should look for Trojan ports when assessing your systems. Here are 
some common ones to look out: 

V 31337, 54320, and 54321 (Back Orifice and Back Orifice 2000) 
f 12345 and 12346 (NetBus) 

V 1243 and 27374 (SubSeven) 

When testing, look for computers listening on these ports. These port num- 
bers can usually be changed in most malware applications, so don't rely on 
these completely. 



Chapter 14: Malware 



□Books 

I of Ti 



Two great Web sites I refer to a lot when I want to see how a particular piece 
of malware works are the following: 



simovits.com/trojans/trojans. html is a comprehensive listing 
of Trojan horses. 

V PestPatrol's catalog of pests at research.pestpatrol .com/ Pest Info/ 
pestdatabase . asp. 



Manual assessment 

It helps to know your systems — what software is installed and what services 
are running. Document your baseline environment, if you haven't already, by 
using the same methods I describe in this chapter. 

If you suspect that one of your systems may be infected by malware, or you 
want to see which applications are loaded on your system, there are tools 
and techniques you can use. The key here is to search for things that just 
don't look right. 

Windows 

Because most malware affects Windows, there are various tests specific to 
that platform you can carry out to test for malware infections. 

Odd file names 

If you're unsure what a specific file does or want more details on file-format 
and header information, you have a couple of options for information: 

Check Wotsit's Format at www .wot si t . org for information on file for- 
mats and headers. 

Search for the filename in Google with both Web and Groups searches. 
Netstat 

Run netstat an at a command prompt. 

■ v 0 The a option displays all connections and listening ports. 

The n option displays IP addresses and port numbers in numeric form to 
make them easier to read. 

You see something similar to the following list: 



Part V: Application Hacking 



Active Connections 



Proto Li 

d Boots 

TCP 0 



Proto 


Local 


Address 




Foreign Address 


State 






0.0 


0:80 




0.0.0.0:0 


LISTENING 






0.0 


0:135 




0.0.0.0:0 


LISTENING 


TCP 




0.0 


0:445 




0.0.0.0:0 


LISTENING 


TCP 


10 


.11 


12.202: 


139 


0.0.0.0:0 


LISTENING 


TCP 


10 


.11 


12.202: 


1044 


208.215.179.139:80 


CLOSE_WAIT 


TCP 


10 


.11 


12.202: 


2099 


10.11.12.204:139 


ESTABLISHED 


TCP 


10 


.11 


12.202: 


2100 


10.11.12.2:139 


T I ME_WA I T 


UDP 


0. 


0.0 


0:445 








UDP 


10 


.11 


12.202: 


137 






UDP 


10 


.11 


12.202: 


138 







The preceding example shows several Microsoft NetBIOS networking ports 
(135, 137, 138, 139, and 445) and an HTTP connection in progress (port 80). 
The NetBIOS connections may be questionable, but I've actually initiated 
those connections, so I trust that they're legitimate. 

Look for connections to the following ports to scope out possible malware or 
other hacker behavior in progress: 



V NetBIOS ports 

i>* Common malware ports 

Ports that can indicate malicious behavior, including telnet (TCP port 23) 
and FTP sessions that shouldn't be occurring (TCP ports 20 and 21) 



Port mapping 

A port-mapper program shows which applications are actually connected to 
the specific open ports. 

My favorite port mapper is a free tool called Vision by Foundstone (www . 
f oundstone .com). I recommend this tool for your toolbox. 

Figure 14-1 shows the detailed information that Vision can provide. Ports 
12345 and 12346 are mapped to c : \temp\Patch . exe. That's the NetBus 
server executable — yikes! 



Task Manager 

Press Ctrl+Alt+Del to load the Windows Task Manager and see whether any 
strange applications or processes are loaded. 



Many strange-looking processes are legitimate. Make sure that you know what 
you're dealing with, so you don't stop a legitimate program. A quick Google 
search on the filename usually provides enough information. Just because it's 
not there doesn't mean it's not loaded, though, because some processes, such 
as the FU rootkit for Windows, have the ability to hide themselves. 



Chapter 14: Malware 



Fimirp - 



Figure 14-1: 

Running 
Vision to 
map ports 
to actual 
applications 
running on a 
system. 



■ -mi>l 




TCP/IP Port Mapper - 



System Info Q 



FID 


Process 


I Port 


I Proto 


I Remote IP 


| Path 




2434 


Patch 


12345 


TCP 




L 


\temp\Patch. exe 




2464 


Patch 


12346 


TCP 




C 


\temp\Patch exe 




2420 


lEXPLORE 


1535 


UDP 




c 


\Pro-gram FilesMnternet Exploier\IEXPLORE.EXE 




23)0 


mozilla 


1491 


TCP 


127.0.0.1:1492 


c 


■Prog:. am Fil«- '■ -rio;:lb org\Mnriil.;i'..mo::il!.a 




2300 


rr ozilla 


1492 


TCP 


127.0.0.1:1491 


c 


■.Program File: Ha org\Mozilla\mozilla. exe 




1476 




1039 


TCP 




c 


■Prog: am File: Vlc-mmon File.^ii'mai-itec SharecKccApp.exe 




998 


MSTask 


1025 


TCP 




c 


\WI N N T ^system32 W S T ask exe 




464 


svchost 


135 


TCP 




c 


\WINNUsystem32Wchost.exe 




344 


lEXPLDRE 


1460 


UDP 




c 


\Program FilesMnternet Explorer\IEXPLORE.EXE 




900 




500 


UDP 




c 


\WINNT \system32Vsass.exe 




8 


System 


139 


TCP 










8 


System 


427 


TCP 












System 


445 


TCP 










8 


System 


1036 


TCP 










8 


System 


1370 


TCP 


10.11.12.207:524 








8 


System 


1396 


TCP 


10.11 12.207:524 








<[ 1 





Net use 

You can run net use at a command prompt to see what drives are mapped 
to external systems. Look for drive mappings that should not be there. 

Registry 

Look in your Windows Registry under the following HKEY_L0CAL_MACHI NE 
(HKLM) keys for strange-looking applications that are loading. This is a 
common place for malware to be initiated upon startup. 

HKLM\S0FTWARE\Mi crosof t\Wi ndows\CurrentVersi on \ Run 
HKLM\Microsoft\Windows\CurrentVersion\RunOnce 
HKLM\S0FTWARE\Mi crosof t\Wi ndows\CurrentVersi on\Run0nceEx 

Startup files 

Check your Windows startup folder and files such as autoexec.bat and 
conf i g . sys in the root directory of the C: drive for any applications that 
don't belong. Unknown programs can signal that a rogue application is con- 
figured to start every time the computer boots. 

Linux 

For your Linux-based systems, you can run various tests to find out more 
about what's running on your systems. 

netstat 

Run netstat at to view active network connections. 

Figure 14-2 shows that a Web server and SSH server are running with two 
computers connected to these services. In addition, you see that the XI 1 ser- 
vice for X Window along with the domain service (DNS), sunrpc, and SMTP 
service for e-mail. Check these types of things before a suspected attack 
occurs so that you know what belongs and what doesn't. 



Part V: Application Hacking 



pBoql 

tcp 



Figure 14-2: 

Running 
netstat in 
Linux shows 
the network 
connections. 



I 7 ^ Linux - SecureCRT 



File Edit View Options Transfer Script Window Help 





taWjost 


stain] It netstat -at 








tel 


et 


connections {servers and established) 




PrRo 




I-l l: L 


Local Address 


Foreign Address 


State 


tcp 


0 




0 


»:32768 




LISTEN 


tcp 


0 




0 


local host . local dc :32769 




LISTEN 


tcp 


0 




0 


*:sunrpc 




LISTEN 


tcp 


0 




0 


*:http 




LISTEN 


tcp 


0 




0 


»:xii 




LISTEN 


tcp 


0 




0 


10.11.12.205:do»ain 




LISTEN 


tcp 


0 




0 


local host .locald : domain 




LISTEN 


tcp 


0 




0 


»;ssh 




LISTEN 




0 




0 


local host .local dem :rndc 




LISTEN 




o 




0 


»:1241 




LISTEN 


tcp 


0 




0 


local host . local dom :sfitp 




LISTEN 


tcp 


0 




0 


*:https 




LISTEN 




0 




0 


10.11.12.205:http 


pc2:1235 


TIME WAIT 




0 




0 


10.11.12.205:http 


pc2:1234 


TIME WAIT 




0 




0 


10.11.12.205:http 


pc2:bucontrol 


TIME.WAIT 




0 




20 


10.11.12 .205 isih 


pcl:1853 


ESTABLISHED 


[root@l Deal host sbinllt | 




Ready 








sshl ; 3DES 


20, 24 20 Rows, 81 Cols 


VT100 



a! 



1 



lsof 

The lsof utility lists open files, as shown in Figure 14-3, so you can check for 
strange connections. This is similar to the Vision program for Windows. 



Figure 14-3: 

Using the 
lsof utility to 
look for 
potential 
malware 
applications 
that are 
loaded. 



File Edit View Options Transfer Script Whdow Help 

ft | % B q, 3 3 # | « & 



■ -inixi 



[l-nntrtllnrall-iiD^t nbin]» ./lsof • 

COMMAND F 

portmap ' 

portmap ' 

rpc.statd ' 

rpc.statd ' 

sshd I 

xinetd ( 

ntpd ( 

ntpd ( 

ntpd ( 



3006 root 
id 10633 root 

id 10635 santall 

ratdlocalhost sbin]# | 



TYPE DEVICE SIZE 

IPv4 88b 

IPu4 887 

IPv4 945 

IPu4 948 

IPu4 1273 

IPi/4 132S 

IPi/4 1349 

IPu4 1350 

IPu4 1351 

IPv4 1400 

IPi/4 1811 

IP«4 4811 

IP«4 13092 

IPv4 13092 



MODE NAME 
UDP *:sw-irpc[portmapper] 
TCP *:sunrpc[portnapper] (LISTEN) 
UDP *-:32768[status: 
TC'F .;32763[staUi5] (LISTEN: 
TCP *:ssh (LISTEN) 

TCP localhost.localdomain:32769Csgi_far«] (LISTEN) 
UDP *:ntp 

JDF _ I'C ?I |-.'j5 1. . loc =,1 : lo:,| =,m ; ■-,t. t :. 
UDP 10.11.12,205:ntp 

TCP localhost.localdomainlsmtp (LISTEN) 
TCP »:xll (LISTEN) 
TCP *:1241 (LISTEN) 

TCP 10.11.12 .205 :ssh->pcl;lB37 (ESTABLISHED) 
TCP 10.11.12.205:ssh->pcl:ie37 (ESTABLISHED) 

:sshl:3DE5 ; 17, 24 17 Rows, 98 Cols Vnrjo I 



ps 

The ps utility displays running processes, as shown in Figure 14-4. You can 
check for strange applications that don't look right. 

This is why it helps to know what's supposed to be loaded! 



Startup files 

Check your Linux startup files (such as i n e t d . c o n f and x i n e t d . c o n f ) for 
any applications that don't belong. Unknown programs can signal that a 
rogue application is configured to start every time the computer boots. 



Chapter 14: Malware 



)pBociR 



Figure 14-4: 

Running the 
ps utility to 
display 
running 
processes. 

















— i 

3 


File Edit 


View Options 


Transfer Script Wind™.". 


Help 












m ■ - 

IB \ 




G? ^ M 












5 till 


J 3 pt: 














i Lc 


Ed* 


CPU 


%HEM 




RSS TTV 


STfiT 


START 


TIME COMMAND 


§ r\ 






0.2 




460 7 


s 


Dec07 


0:05 init 








1 , 1 


0.0 


0 


0 7 


SW 


Dec07 


0;00 Ekeuentdl 








v". 


0.0 


0 


0 7 


SW 


Dec07 


0:00 Ckapntd] 






4 


0.0 


0.0 


0 


0 7 


!t;wn 


Dec07 


0:00 Cksoftirqd_CPUO] 












0 


0 7 


SW 


Dec07 


0:06 Cksuapd] 




- c : r 


6 


olo 


olo 


0 


0 7 


SW 


Dec 07 


0:00 [bdflush] 






7 


0.0 


0.0 


0 


0 7 


SW 


Dec07 


0:00 IkupdatedD 






B 


0.0 


0.0 


0 


0 7 


SW 


Dec07 


0:00 Cmdrecoueryd] 






14 


0.0 


0.0 


0 


0 7 


SW 


Dec07 


0:00 Cscsi_eh_0] 






17 


0.0 


0.0 


0 


0 7 


SW 


Dec07 


0:01 Ckjournald] 






73 


0.0 


0.0 


0 


0 7 


SW 


Dec07 


0:00 [khubd] 






165 


0.0 


0,0 


0 


0 7 


SW 


Dec07 


0:00 Ckjournald] 






4% 


0,0 


0.2 


1324 


532 7 


s 


DecOT 


0:00 syslogd -m 0 






460 


0.0 


0.2 


1264 


432 7 


s 


Dec07 


0:00 klogd 




rpc 


478 


0.0 


0.2 


1404 


528 7 


s 


Dec07 


0:00 portmap 






497 


0.0 


0.3 


1444 


728 7 


s 


Dec07 


0:00 rpc.statd 






579 


0.0 


0.2 


1256 


488 7 


s 


Dec07 


0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /et 






61b 




0.7 


5200 


1426 7 


s 


Dec07 


0:05 /usr/sbin/sshd 






630 


0.0 


0.4 


1996 


916 7 


s 


Dec07 


0:00 xinetd -stayaliue -reuse -pidfile / 






644 


0," 


0.9 


1836 


1828 7 


SL 


Dec07 


0:00 ntpd -U ntp 






668 


0.0 


1.1 


4960 


2224 ? 


s 


Dec07 


0:02 sendntail: accepting connections 




smmsp 


678 


0,0 


1.0 


4776 


2000 7 


s 


Dec07 


0:00 sendntail; Queue runrier@01;00;00 for 






688 


0.0 


0.2 


1300 


428 7 


s 


Dec07 


0:00 gprn -t ps/2 -m /dev/mouse 






697 


0.0 


0.3 


1432 


620 7 


s 


Dec07 


0:00 crond 




xfs L 


728 


0.0 


1.6 


4432 


3232 7 


s 


Dec07 


0:00 xFs -droppriu -daemon 


j 


daemon 


746 


0.0 


0.2 


1292 


524 7 


s 


Dec07 


0:00 Aisr/sbin/atd 






772 


0.0 


0.2 


1244 


3B8 ttyl J? 


Dec07 


0;00 /sbin/mingetty ttyl 


















Sshl;3DES 17,34 29 Rows, 98 Cols VT100 





NetWork card 

Determine whether someone or some malware has placed the machine's net- 
work card into promiscuous mode, indicating the use of a network analyzer. 
Enter this line at the command prompt: 

ifconfig -a | grep PROMISC 

If the return value is not empty, an interface is running in promiscuous mode. 




You can enter this command into a cron job that runs every few hours that 
can alert you if one is found. 



Antivirus software testing 

For starters, check whether your antivirus software is actually working. 




Before you begin testing your antivirus software, make sure that you have the 
latest virus software engine and signatures loaded. 



You have a couple of safe options for checking the effectiveness of your 
antivirus software, as described in the following two sections. This is by no 
means a comprehensive method of testing your malware-protection mecha- 
nisms, but it serves as a good, safe start. 

Eicar test string 

Eicar is a European-based malware think tank that has worked in conjunction 
with malware vendors to provide this basic system test. The eicar test string 



Part V: Application Hacking 



is transmitted in the body of an e-mail or as a file attachment so that you can 
see how your server and workstations respond. You basically access this file — 
tlioh ^ntains the following 68-character string — on your computer to see 
t|e\ig^your antivirus or other malware software detects it: 

X50! P%@AP[4\PZX54( P A )7CC )7 ) $EICAR STANDARD- ANT I VI RUS-TEST-FI LE! $H+H* 




You can download a text file with this string from www .eicar.org/anti_ 
vi rus_test_f i 1 e . htm. Several versions of the file are available on this site. 
One version is a zip file. I recommend testing with this file to make sure that 
your antivirus software can detect malware within compressed files. 



When you run this test, you may see results similar to Figure 14-5 from your 
antivirus software. 



DropBoG 



Morton Antivirus 



Figure 14-5: 

Using the 
eicartest 
string to test 
antivirus 
software. 



virus Alert 




Norton Antivirus has detected and removed a virus from your 
computer, 

Object Name: C:\temp\eicar.com 
Virus Name: EICAR Test String 
Action Taken: The file was automatically deleted, 




GFl's Email Security Testing Zone 

A freebie at www . gf i . com/emai 1 securi tytest is a good e-mail malware test 
to run against your server and clients. This series of tests sends e-mails with 
malicious-like scripts in such programming languages as Visual Basic and 
ActiveX to check exactly what gets through your e-mail system. These aren't 
malicious tests — just tests that should invoke your antivirus software or 
other protective measures on your e-mail server or gateway if your software 
is configured and working correctly. 



NetWork scanning 

Use Nmap, SuperScan, or your favorite port-scanning tool to check for abnor- 
mal ports open on your network hosts. 



Chapter 14: Malware 




Some connections that show as open aren't necessarily accurate and depend- 
able. You may need to investigate unknown ports on the systems further by 
jort-mapping tool such as Vision for Windows or lsof for Linux, as 
previously in this chapter. 



aDie. you n 
/^slng a-soi 
Vjje|\i©d 



Using SuperScan, you may find the following results in a quick network scan: 



* - 10.10.1.1 fsl 

| 12345 Win95/NT Netbus backdoor 

* - 10.10.1.2 [Unknown] 

* - 10.10.1.4 laser 

* + 10.10.1.204 PC100 

| 12345 Win95/NT Netbus backdoor 

* + 10.10.1.209 DQ 

I 12345 Win95/NT Netbus backdoor 



You can also use Nmap to find specific malware ports, as shown in Figure 14-6. 



Figure 14-6: 

Nmap 
results 
showing the 
NetBus 
server 
listening on 
ports 12345 
and 12346. 



nnapJnnap -p 1-65535 10.11.12.204 

rting nnap 3.48 < http^/www. inseci 
ndard Time 

eresting ports on pc2 (10.11 .12 .204> : 
(The 65529 ports scanned but not shown below 
PORT STATE SERUICE 

135/tcp open ntsrpc 
139/tcp open netbios-ssn 
445/tcp open microsof t~ds 
1025/tcp open NFS-or-I IS 
12345/tcp open NetBus 
12346/tcp open NetBus 



i completed — 1 IP addres 



org/nmap > at 2003-12-15 11:15 Easte: 
state: closed) 



220.056 seconds 





During a recent incident response project that I was on, I found dozens of 
computers listening on TCP port 12345 — the default port of the NetBus 
Trojan! Needless to say, I was quite concerned. After some poking around, 
I discovered that NetBus had not infested the network, as it originally 
appeared. It was the OfficeScan NT antivirus product by Trend Micro that 
was listening on that port — who would've thought? Major lesson learned. 



\\V & ' recommend scanning your entire network for spyware with PestPatrol 

Auditor's Edition (www . pestpatrol . com) or a similar program. Figure 14-7 
shows the results of a stand-alone PestPatrol scan on the local computer; it 
found NetBus and several spyware cookies. PestPatrol detects spyware, 
adware, Trojans, and some rootkits. 



P art V: Application Hacking 



File Options Logs Help/ Info 

PestPatrol 



DropBools 



Figure 14-7: 

Sample 
results from 
a PestPatrol 
scan. 



■-inlxl 



| Info | Advanced | 
Tog | Remove Fiom Querantine | 




Delete Quarantine Del Cookies Exclude Clear Log EMail Support 



File Info 



Category: RAT 
Author Cail-Fie dnl ! 
Release Date: 9/28/2001 0:00. 
Background Info: Click here 



9 Backdoor Nelbu: di 



In File: C:\lemp\NetBus.ene 
FVT: 722545794 
MD5: Cb7a8e2d5ccfeGeeed1ledf... 
Date: 11/1 4/1398 2:04:18 AM 
File Analysis: Loot, up with r-- [ 5 
In File: C:\WINNT\keyhook. dri 
Dale: 12/15/2003 1 1 :00 0b AM 



In File: C:\DocurrtenlsandSettin... 
Tracking URL: mediaoleK.com 
Hits: 2 

Received: lj/15003 9.40:40 
Fxmrex flh.-'l 'TiiTh 7 nnTlO PM 



Certainty: Confirmed 
T hreatens: Cunlidential i', 
Risk: Moderate ■ this file can l_ 
Advice: Delete or quarantine 



Finished! Objects scanned: 9.010 Pests found: 11 Last Pest Found: NetBus 




Every time I run a full scan on my system, tools are called suspect, and my 
software — antivirus software especially — tends to "clean up" those tools 
for me. I must either replace my security tools from backup or download and 
install them again. If any of your security tools or security testing software 
may look like malware on your computer, either 



«* Keep backup copies of the original installation files. 

v* Have your malware-protection software skip the files or directories 
where your security tools are installed. 



Of course, if an infection is suspected — and periodically, such as once a 
month, even when infections aren't suspected — run your antivirus software 
against all the computers on your network. Another tool to double-check your 
systems is McAfee's AVERT Stinger (vi 1 . nai . com/vi 1 / sti nger). This stand- 
alone antivirus executable checks for several dozen of the latest common mal- 
ware items and known variants of each. 



Behariorat-anatysis toots 

For a neat set of tests to find whether your Windows-based systems are sus- 
ceptible to behavioral-based malware attacks — that is, attacks that don't 
match a specific signature, but perform a function such as writing to the local 
hard drive — check out the demos at the Finjan Software Test Center at www . 
f i n j an . com/mcrc/sec_test . cfm. These tests — which include "malicious" 



Chapter 14: Malware 



ipBoaks 

In my tesl 



executables, JavaScript, ActiveX, and Visual Basic — safely show you just 
what can happen without the proper malware protection in place on your 



my testing, few antivirus and personal firewall applications actually detected 
any wrongdoings when running these tests. The scripting tests require you to 
grant permission to load the scripts — many users just do this automatically! 



MatWare Countermeasures 

You can implement various countermeasures to prevent malware attacks 
against your systems, as described in the following sections. 



General system administration 

Security countermeasures within your organization can help prevent attacks: 

i>* Your first and foremost goal should be to keep hackers and malware out 
of your systems in the first place. If you perform the other countermea- 
sures and system-hardening best practices mentioned throughout this 
book and referenced in Appendix A, you're on your way. 

Create an incident-response plan. The FedCIRC Incident Handling 
Checklists at www . fedc ire. gov/ inci dent Response/ 1 Hchecklists. 
html is a good place to start. 

No matter what measures you have in place to protect your systems 
from malware infections, you'll probably be attacked sometime. Plan 
ahead so you don't have to make critical decisions under pressure. 

V Before deploying networkwide any programs downloaded from the 
Internet, test and analyze the programs for malicious behavior on iso- 
lated systems. 

Use malware-protection software (such as antivirus, spyware protection, 
and Trojan testers). 

Two guidelines can increase the effectiveness of your protection: 

• Load the software on the layers of your network wherever possible, 
including on firewalls, content-filtering servers, e-mail gateways/ 
firewalls, e-mail servers, and e-mail clients. 





Part V: Application Hacking 



DBooks 



Use different malware-protection applications (from multiple ven- 
dors) or a program that combines the scanning engines of several 
antivirus vendors in one fell swoop, such as Antigen from Sybari 
Software (www . syba ri .com/home). 



i>* Apply the latest software patches — especially critical security updates. 

v 0 Back up critical systems regularly. This could include performing the 
following: 

• Image or other backup that can be restored quickly in the event of 
a serious infection 

• Copies and MD5 or SHA checksums of critical executables in case 
you need to restore or compare existing ones for authenticity 

• Emergency repair disks for critical systems in case of a malware 
infection 

v* Enable heuristics protection in your antivirus software, if possible, to 
help detect behavioral anomalies that need to be blocked or cleaned. 

Never rely on digitally signed code — such as ActiveX controls that 
Internet Explorer downloads and prompts you to load — to run properly 
on your systems. Digital signatures on this code verify only that it came 
from a trustworthy source — not how it actually behaves when it's 
loaded. 

V Don't just disable such application interfaces as ActiveX, Windows 
Script Host, JavaScript, and Java without a good reason. 

All these programming interfaces have some legitimate uses. Applications 
can stop working if these interfaces are disabled haphazardly. If the other 
security controls I mention here are in place, your systems should be 
pretty secure from malware written in these languages. You want to find a 
good balance between security and usability for your users so that secu- 
rity doesn't get in the way of people doing their jobs. 

Make sure that a firewall is always in place on your network. Use it to 
look for 

• Suspicious ports in use (or trying to be used) 

• Heavy traffic patterns that can signal a malware infection 

V Use IDS and IDP systems to stop potential malware infections in their 
tracks when they try to enter your network. 

Run a rootkit-detection application: 

• Rkdet (vancouver-Webpages . com/ rkdet) for Linux checks for 
someone installing a rootkit or other malware on your systems. 

• chkrootkit (www .chkrootkit.org) tests after the fact for over 50 
different installed rootkits on many popular flavors of UNIX. 



Chapter 14: Malware 



255 



E-mails 



DropBootbi 



:>n to the preceding security countermeasures, you can implement 
-mail-specific malware-protection measures: 




Make it policy for users not to open unsolicited e-mails and any attach- 
ments — especially those from unknown senders. 

i>* Plan for users who ignore or forget about the policy of leaving unsolicited 
e-mails and attachments unopened. 

These automatic technical measures can help prevent malware from 
infecting user systems: 

• At the server or e-mail gateway, filter e-mails that have executable 
attachments, such as .com, . exe, . pif, . scr.and . vbs. The File 
Extension Source at f i 1 ext . com has information about more than 
8,500 file types. 

• Always run antivirus software wherever it can be installed — at the 
handheld, desktop, and server levels, if possible. 

• Run antivirus software at the server or gateway levels, if possible. 

Make sure that encrypted files and emails can be protected against 
malware. 

• Encryption won't keep malware out of files or e-mails. You'll just 
have encrypted malware within the files or e-mails. 

• Encryption keeps your server or gateway antivirus from detecting 
the malware until it reaches the desktop. 




Files 



You must perform regular malware protective maintenance on your file sys- 
tems. The following countermeasures will help: 

Periodically scan all possible systems on your network, and enable real- 
time malware protection that can't easily be disabled by users. 

Scan all files — not just executable ones — to help prevent unknown 
malware issues. 

u* Consider changing file associations for potentially malicious executa- 
bles, such as com, .exe, .pif, . scr, and . wsh. 

For example, you can change the Windows Script Host file associations 
to something like Notepad.exe in case they're ever launched. That way, 
Notepad will load the file instead of the Windows Script Host engine. 



Part V: Application Hacking 



DropBooks 



Chapter 15 

DropBooks. ~ ~ A 

Ivlessaging Systems 



In This Chapter 

Attacking e-mail systems 
Assailing instant messaging 
Securing your servers and clients 



essaging systems — those e-mail and instant messaging (IM) applica- 
tions that we depend on — are often hacked within a network. Why? 
Well, from my experience, messaging software — both at the server and 
client level — is vulnerable because network administrators forget about 
securing these systems, believe that antivirus software is all that's needed 
to keep trouble away, and ignore the existing security vulnerabilities. 

In this chapter, I show you how to test for common e-mail and instant- 
messaging issues. I also outline key countermeasures to help prevent these 
hacks against your systems. 



Messaqinq-System Vulnerabilities 

E-mail and instant-messaging applications are hacking targets on your net- 
work. In fact, e-mail systems are some of the most targeted. Given the prolif- 
eration and business value of instant messaging and other P2P applications, 
attacks against networks launched via instant-messaging channels will be at 
least as common as e-mail attacks. 

A ton of vulnerabilities are inherent in messaging systems. The following fac- 
tors can create weaknesses: 

Security is rarely integrated into software development. 

Convenience and usability often outweigh the need for security. 

Many of the messaging protocols were not designed with security in 
mind — especially those developed several decades ago, when security 
wasn't nearly the issue it is today. 





Part V: Application Hacking 



Many hacker attacks against messaging systems are just minor nuisances; 
others can inflict serious harm on your information and your organization's 
relufati^n. The hacker attacks against messaging systems include these: 



*** Transmitting malware (as I describe in Chapter 14) 

V Crashing servers 

f* Obtaining remote control of workstations 

V Capturing and modifying confidential information as it travels across the 



i/ 0 Perusing e-mails in e-mail databases on servers and workstations 

Perusing instant-messaging log files on workstation hard drives 

v 0 Gathering messaging trend information, via log files or a network ana- 
lyzer, that can tip off the hacker about conversations between people 
and organizations 

*<* Gathering internal network configuration information, such as host- 
names and IP addresses 

Hacker attacks like these can lead to such problems as lost business, 
unauthorized — and potentially illegal — disclosure of confidential infor- 
mation, and loss of information. 



The following e-mail attacks exploit the most common e-mail security vulner- 
abilities I've seen. The good news is that you can eliminate or minimize most 
of them to the point where your information is not at risk. You may not want 
to carry out all these attacks against your e-mail system — especially during 
peak traffic times — so be careful! 

Some of these attacks require the basic hacking methodologies: gathering 
public information, scanning and enumerating your systems, and attacking. 
Others can be carried out by sending e-mails or capturing network traffic. 



E-mail bombs can crash a server and provide unauthorized administrator 
access. They attack by creating DoS conditions against your e-mail software 
and even your network and Internet connection by taking up so much band- 
width and requiring so much storage space. 




network 



E-Mail Attacks 



E-mail bombs 



Chapter 15: Messaging Systems 




dy in e-mail hacking with Thomas Akin 



nomas Akin, a well-known 
expert in e-mail systems and forensics, shared 
with me an experience in e-mail hacking. Here's 
his account of what happened. 

The situation 

Mr. Akin was involved in a case where a client's 
e-mail system was blacklisted for sending hun- 
dreds of thousands of spam e-mails. The client 
spent two weeks reconfiguring its e-mail server 
in an attempt to stop the spam e-mails from 
going through the system. The client looked at 
every technical possibility — including making 
sure that the server was not an open SMTP 
relay — but nothing worked. Over 100,000 spam 
e-mails a day were being sentth rough the com- 
pany. After losing several customers because 
the company couldn't send them any e-mails, 
the company called Mr. Akin to see whether he 
could help. 

Mr. Akin first checked to see whether the e-mail 
system was acting as an open relay, but it was 
not. Because the e-mail system wasn't miscon- 
figured, there shouldn't have been any reason 
for blacklisting the client. Then he reviewed the 
spam e-mail headers, expecting to see a stan- 
dard spoofed e-mail. Instead, after reviewing 
the headers, he saw that they were coming 
from the company's e-mail system. Not only 
that, but they were also originating from a 
reserved IP address — an address that isn't 
even allowed on the Internet. 

Momentarily stumped, Mr. Akin looked at the 
text of the e-mail messages themselves. "One 
time only!" "Buy me now!" "Best deal ever!" 
This is the standard spam nonsense, exceptthat 
these e-mails were signed by Laura and John 
(names disguised to protectthe guilty). Not only 



that, Laura and John listed their phone numbers 
so potential customers could contact them 
easily — 555-1234. How nice of them! 

The outcome 

A quick search online turned up a phone- 
number match to a Laura and John living in East 
Bumble, USA. Bingo! It turned out that John 
was a former employee and that his dial-up 
account had not been disabled when he was 
fired from the company. A quick glance at the 
log files showed that the "john" account had 
used the company's dial-up access during the 
exact times the spam e-mails were sent out. 
The company immediately disabled the 
account, and the spam e-mails stopped. 

Even though the spamming was stopped, the 
company was desperate to know how the 
e-mails were being sent through its system. The 
dial-up account should have allowed only lim- 
ited access through a menu system — not full 
access to the organization's network. After 
some research, Mr. Akin determined that John 
had bypassed the dial-up's menu system and 
was using a program called slirp to turn his 
internal dial-up connection into a full Internet 
connection. Because John was dialing into the 
company's modem bank, the e-mail system saw 
him as an internal user, letting him send e-mail 
to anyone and anywhere he wanted. The com- 
pany quickly reviewed all dial-up accounts and 
found that over two dozen accounts were still 
active and being used by former employees! 

Thomas Akin is the founding director of the 
Southeast Cybercrime Institute at Kennesaw 
State University. He is a CISSP, holds several 
networking certifications, and is a member of 
Mensa. 



Part V: Application Hacking 



Ar* attack! 

DropBoafe 



Attachments 

An attacker can create an attachment-overloading attack by sending hundreds 



nds of e-mails with very large attachments. 



Attacks 

Attachment attacks may have a couple of different goals: 




The whole e-mail server may be targeted for a complete interruption of 
service with these failures: 

• Storage overload 

Multiple large messages can quickly fill the total storage capacity 
of an e-mail server. If the messages aren't automatically deleted by 
the server or manually deleted by individual user accounts, the 
server will be unable to receive new messages. 

This can create a serious DoS problem for your e-mail system, 
either crashing it or requiring you take your system offline to clean 
up the junk that has accumulated. A 100MB file attachment sent 
ten times to 80 users can take 80GB of storage space. Yikes! 

• Bandwidth blocking 

An attacker can crash your e-mail service or bring it to a crawl by 
filling the incoming Internet connection with junk. Even if your 
system automatically identifies and discards obvious attachment 
attacks, the bogus messages eat resources and delay processing of 
valid messages. 

f" An attack on a single e-mail address can have serious consequences if 
the address is for a really important user or group. 




Countermeasures 

These countermeasures can help prevent attachment-overloading attacks: 

Limit the size of either e-mails or e-mail attachments. Check for this 
option in e-mail server configuration options (such as those provided in 
Novell Group Wise and Microsoft Exchange), e-mail content filtering, and 
e-mail clients. 

This is the best protection against attachment overloading. 

I v 0 Limit each user's space on the server. This denies large attachments 
from being written to disk. Limit message sizes for inbound and even 
outbound messages if you want to prevent a user from launching this 
attack inside your network. I've found 10MB to 20MB to be good limits. 



Chapter 15: Messaging Systems 




doing 



Consider using FTP or HTTP instead of e-mail for large file transfers. By 
doing so, you can store one copy of the file on a server and have the 
lent download it on his or her own. This can help keep message 
sizes at a minimum. 



Connections 

A hacker can send a huge amount of e-mails simultaneously to addresses on 
your network. These connection attacks can cause the server to give up on ser- 
vicing any inbound or outbound TCP requests. This can lead to a complete 
server lockup or a crash, often resulting in a condition where the attacker is 
allowed administrator or root access to the system! 

Attacks 

This attack is often carried out in spam attacks, which are covered later in 
this chapter. 

Countermeasures 

Many e-mail servers allow you to limit the number of resources used for 
inbound connections, as shown in the Number of SMTP Receive Threads 
option for Novell GroupWise in Figure 15-1. It can be next to impossible to 
completely stop an unlimited amount of inbound requests. However, you can 
minimize the impact of the attack. This setting limits the amount of server 
processor time, which can help prevent a DoS attack. 



Figure 15-1: 

Limiting the 
number of 
resources to 
handle 
inbound 
messages. 



EH 



SMTP.WIME - j LDAP | PQP3j1MAP4 | Server Directories | 



P Enable SMTP service 
NurnberofSMTP Send Threads: 
Number of SMTP Receive Threads: 
Hostname/DNS "A Record" Nam* fi: h" 'i . -ij 
Relay Host (or Outbound Messages: j 
Scan Cycle for Send Directory: j 7~0 -^j g 
r Bind to TCP/IP address at connection time 



r | Reattach | Post Otlice Links | GroupV | ■ 1 1 




J '" ■ ilM . ■'! | ■,[. I [ 



Part V: Application Hacking 




Even in large companies, there's no reason that thousands of thousands of 
inbound e-mail deliveries should be necessary within a short time period. 



iiail servers, especially UNIX-based servers, can be programmed to 
deliver e-mails to a daemon or service for automated functions. If DoS protec- 
tion isn't built into the system, a hacker can crash both the server and the 
application that receives these messages. 

Autoresponders 

An interesting attack I've seen is to find two or more users on the same or dif- 
ferent e-mail systems that have autoresponder configured. Autoresponder is 
that annoying automatic e-mail response you often get back from random 
users when you're subscribing to a mailing list. A message goes to the mailing- 
list subscribers, and then users have their e-mail configured to automatically 
respond back, saying they're out of the office or, worse, on vacation. This is a 
great way to tell thousands of people that your house and belongings are pos- 
sibly available for taking — but I digress. 



Attacks 

An autoresponder attack is a pretty easy hack. Many unsuspecting users and 
e-mail administrators never know what hit them! The hacker sends each of the 
two (or more) users an e-mail from the other simply by masquerading as that 
person (an easy hack I outline in this chapter). This attack can create a never- 
ending loop that bounces thousands of messages back and forth between 
users. This can create a DoS condition by filling either the user's individual 
disk space quota on the e-mail server or the e-mail server's entire disk space. 




Countermeasures 

The best countermeasure for an autoresponder attack is to make it policy 
that no one sets up an autoresponder message. Those messages are too 
annoying to be of value anyway, right? 

Prevent e-mail attacks as far out on your network perimeter as you can. The 
more traffic or malicious behavior you keep off your e-mail servers and clients, 
the better. 

Automatic e-mail security 

You can implement the following countermeasures as an additional layer of 
security for your e-mail systems. 



Tarpitting 

Tarpitting detects inbound messages destined for unknown users. If your 
e-mail server supports tarpitting, it can help prevent spam or DoS attacks 
against your server. If a predefined threshold is exceeded — say, more than 



Chapter 15: Messaging Systems 



> p B 0 Q}fi&*atts 



ten messages — the tarpitting function effectively blocks traffic from the send- 
ing IP address for a period of time. 



E-mail firewalls and content-filtering applications (such as CipherTrust's 
IronMail and NetlQ's MailMarshal, respectively) can prevent various e-mail 
attacks. These tools protect practically every aspect of an e-mail system. 

Perimeter protection 

Although not e-mail-specific, many firewall, IDS, and IDP systems can detect 
various e-mail attacks and shut off the attacker in real time. This can come in 
handy during an attack at an inconvenient time. 



Banners 

One of the first orders of business for a hacker when hacking an e-mail server 
is performing a basic banner grab to see whether he can tell what e-mail server 
software is running. This is one of the most critical tests to find out what the 
world knows about your SMTP, P0P3, and IMAP servers. 

Gathering information 

Figure 15-2 shows the banner displayed on an e-mail server when a basic telnet 
connection is made on port 25 (SMTP). To do this, at a command prompt, 
simply enter telnet ip_or_hostname_of _your_server 25. This brings up a 
telnet session on TCP port 25. 



Figure 15-2: 

An SMTP 
banner 
showing 
server- 
version 
information. 



uer yl.Ba Ready 



Unix 



In Figure 15-2, it's pretty obvious what e-mail software type and version the 
server is running. This information can give hackers some ideas about possi- 
ble attacks, especially if they search a vulnerability database for known vul- 
nerabilities of that software version. Figure 15-3 shows the same e-mail server 
with its SMTP banner changed from the default (okay, the previous one was, 
too) to disguise such information as the e-mail server's version number. 



Part V: Application Hacking 




lana etth 

disguises 
the version 
information. 



■-inlxl 



1 



45 



ays* 



You can gather information on POP3 and IMAP e-mail services as well by tel- 
netting to either port 110 (POP3) or port 143 (IMAP). 

If you've changed your default SMTP banner, don't think that no one can figure 
out the version. One Linux-based tool called smtpscan (www . greyhats . org/ 
outils/smtpscan) determines e-mail server version information based on 
how the server responds to malformed SMTP requests. Figure 15-4 shows 
the results from smtpscan against the same server shown in Figure 15-3. It 
detected the product and version number of the e-mail server! 



Figure 15-4: 

smtpscan 
gathers 
version info 
when the 
SMTP 
banner is 
disguised. 



File Edit View Options Transfer Script Window Help 



[root@localhost src]* ./smtpscan 10,11.12.2 
smtpscan version 0.5 



15 tests available 

3181 fingerprints in the database 



Scanning 10.11.12.2 (10.11.12.2) port 25 
15/15 



Result — 

503:501:501:250:501:250:501:214:252:502:500:500:500:250:250 



-: 



Banner : 

220 Well, hello i 



Welcome to our e-mail 



SMTP server corresponding ; 

- Generic SMTP Server ul.Oa 
[ rootfjl coal host bin]* 



sshl;3DES 29,23 18 Rows, 61 Cols VT100 



Countermeasures 

There isn't a 100 percent secure way of disguising banner information. I sug- 
gest these banner security tips for your SMTP, POP3, and IMAP servers: 

Change your default banners to cover up the information. 

W Make sure that you're always running the latest software patches. 

Harden your server as much as possible by using well-known best prac- 
tices from such resources as SANS (www .sans.org), NIST (cs rc . ni st . 
gov), National Security Agency Security Recommendation Guides (www . 
nsa .gov/snac/index. html), and Network Security For Dummies, by 
Chey Cobb (Wiley Publishing, Inc.). 



Chapter 15: Messaging Systems 



DropBo 



SMTP attacks 




±er attacks exploit weaknesses in the Simple Mail Transfer Protocol 
This e-mail communications protocol — which is over 20 years old — 
was designed for functionality, not security. 



Account enumeration 

A clever way that hackers can verify whether e-mail accounts exist on a server 
is simply to telnet to the server on port 25 and run the VRFY command. The 
VRFY — short for verify — command makes a server query to check whether 
a specific user ID exists. Spammers often automate this method to perform a 
directory harvest attack (DHA). It's a way of gleaning valid e-mail addresses 
from a server or domain so hackers know who to send spam messages. 



Attacks 

Figure 15-5 shows how easy it is to verify an e-mail address on a server with 
the VRFY command enabled. Scripting this attack can test thousands of 
e-mail address combinations. 



Figure 15-5: 

Using VRFY 
to verify that 
an e-mail 
address 
exists. 



1 telnet - HyperTerniinal 


JSJxJ 


Fife Edit View Call Transfer Help 




□ 1*1 @|S| «d|B| Ef| 
























220 Generic SMTP Ser 
vrfy infoSprinciple] 
252 user appears to 


uer vl.Ba Rea< 
ogic . com 
be valid 






<l 1 M 


Connected 0:00:28 ANSIW 


TCP/IP 









The SMTP command EXPN — short for expand — may allow attackers to verify 
what mailing lists exist on a server as well. You can simply telnet to your e-mail 
server on port 25 and try EXPN on your system if you know of any mailing lists 
that may exist. Figure 15-6 shows what this result may look like. It's simple to 
script this attack and test thousands of mailing-list combinations. 




You may get bogus information from your server when performing these two 
tests. Some SMTP servers don't support the VRFY and EXPN commands, and 
some e-mail firewalls simply ignore them or return false information. 



266 



Part V: Application Hacking 



DropBodi 

250-; 



Figure 15-6: 

Using EXPN 
to verify that 
a mailing list 
exists. 



■ telnet - HyperTerminal 



Edit View Call Transfer Help 

»o|B| &\ 



eric SMTP Server ul.Sa Ready 
I users 

250-2 .1.0 <CoolUsers@principlelogic . com> 



Connected 0:00:47 



jnjxj 



"3 



if 



Countermeasures 

The best solution for preventing this type of e-mail account enumeration 
depends on whether you need to enable the VRFY and EXPN commands: 

f* Disable VRFY and EXPN unless you need your remote systems to be able 
to gather user and mailing-list information from your server. 

i>* If you need VRFY and EXPN functionality, check your e-mail server or 
content filtering documentation for the ability to limit these commands 
to specific hosts on your network or the Internet. 

Relay 

SMTP relay lets users send e-mails through external servers. Open e-mail 
relays are one of the greatest problems on the Internet. Spammers and hack- 
ers can use an e-mail server to send spam or attack through e-mail under the 
guise of the unsuspecting open-relay owner. 

Keep in mind the following key points when checking your e-mail system for 
SMTP-relay weaknesses: 

f" Test your e-mail server by using more than one tool or testing method. 
Multiple tests minimize any errors or oversights. 

Test for open relay from outside your network. If you test from the 
inside, you may get a false positive, because outbound e-mail relaying 
may be configured and necessary for your internal e-mail clients. 

Automatic testlnq 

Here are a couple of easy ways to test your server for SMTP relay: 
Free online tools. 




One of my favorite online tools is located at www . abuse, net/rel ay. 
html . You can perform the anonymous test without entering your e-mail 
address — unless you're an abuse.net member. It immediately displays 
the test results in your browser. 



Chapter 15: Messaging Systems 26 */ 



DropBooKi 



V Other Windows-based tools, such as Sam Spade for Windows. Figure 15-7 
shows how you can run an SMTP Relay check on your e-mail server, 
re 15-8 contains the results of this test on my test server, showing 
relaying is enabled. 




Some SMTP servers accept inbound relay connections and make it look 
like relaying works. This isn't always the case, because the filtering may 
take place behind the scenes. Check whether the e-mail actually made it 
through by checking the account you sent the test relay message to. 




Figure 15-8: 

Positive 
results from 
testing for 

an open 
SMTP relay. 



J F*e Edit View Window Basics Tools Help 

Z\ * I ! ^1*0 ^ ^>|whois.arin.nei 



1-lnlxl 



Q2/10/D4 17:4D:4B SMTP Relay Check @ ID. 11. 12. 2 
Contacting 10.11.12.2 

220 Hell, hellol Welcome to our email server... □ 
HELO ID. 11. 12. 2 

250 mail.principlelogic.com Hello ID. 11. 12.2 (10.11.12.202) 

MAIL FROM:<someuser_at_somespamdomain.com@10. 11. 12. 2> 

25 0 sender ok <someuser_at_somespamdomain. com@10 . 11. 12 . 2>D 

RCPT TO: <someuser@somespamdomain. com> 

250 Recipient ok <someuser@soraespamdomain. com>D 

DATA 

354 send the mail data, end with .□ 

To : someuser@somespamdomain. comD 

From: someuser@somespamdomain.com (Spade relay check) □ 
Subject: 10.11.12.2 relay checkD 



250 B00000fc62 Message accepted for deliveryD 



r#] 10.11 12.2 (relay check | f£] 10.11.12.2 (lelay ct 

For Help, piess Fi 



Manual testing 

You can manually test your server for SMTP relay by telnetting to the e-mail 
server on port 25. Follow these steps: 



Part V: Application Hacking 



DropBooks 



1. Telnet to your server on port 25. 

You can do this two ways: 





Use your favorite graphical telnet application, such as HyperTerminal 
(which comes with Windows) or SecureCRT (www . Vandyke . com). 

• Enter the following command at a Windows or UNIX command 
prompt: 

telnet mail server_address 25 

To see what's entered, you may have to enable local echoing of charac- 
ters in your telnet program, such as Hyper Terminal. 

You should see the SMTP welcome banner when the connection is made. 

Enter a command to tell the server, "Hi, I'm connecting from this 



domain." Enter the command like this: 




helo yourdomai n . com 






After each command in these steps, you should receive a different- 
numbered message, like 999 OK. You can ignore these messages. 

Enter a command to tell the server your e-mail address, like this: 


mail f rom :yourname@yourdomai n . com 




Enter a command to tell the server who to send the e-mail 


to, like this: 


rcpt to:your 


name@yourdomai n . com 






Enter a command to tell the 
like this: 


s server that the message body i 


is to follow, 


data 






Enter the following text as the body of the message: 





A relay test 

7. End the command with a period on a line by itself. 

This marks the end of the message. After you enter this final period, 
your message will be sent if relaying is allowed. 

8. Check for relaying on your server: 

• Look for a message like Relay not allowed to come back from the 
server. 

If you get a message like this returned, SMTP relaying is not 
allowed on your server. 



Chapter 15: Messaging Systems 



ipBooks 




You may get this message after you enter the rcpt to: command. 

• If you don't receive a message back from your server, check your 
inbox for the relayed e-mail. 

If you receive the test e-mail you sent, SMTP relaying is enabled on 
your server. 



Court termeasures 

You can implement the following countermeasures on your e-mail server to 
disable or at least control SMTP relaying: 

Disable SMTP relay on your e-mail server. If you don't know whether you 
need SMTP relay, you probably don't. You can enable SMTP relay for 
specific hosts if needed. 

www .ma i labuse.org/tsi/ar-fix. html provides information on dis- 
abling SMTP relay on e-mail servers. 

v* Enforce authentication, if your e-mail server allows it. You may be able 
to require such authentication methods as password authentication or 

Ian e-mail address that matches the e-mail server's domain. Check your 
e-mail server and client documentation for details on setting up this 
type of authentication. 

E-mail header disclosures 

If your e-mail client and server are configured with typical defaults, a mali- 
cious hacker may find critical pieces of information: 



i>* Internal IP address of your e-mail client machine (maybe the entire IP 
addressing scheme) 

Software versions of your client and server and their vulnerabilities 
f* Hostname 



Testing 

Figure 15-9 shows the header information revealed in a test e-mail I sent to 
my free Web account. As you can see, it shows off quite a bit of information 
about my e-mail system. 

V The third Received line discloses my system's hostname, IP address, 
server name, and e-mail client software version. 

is* The X-Mailer line displays the Microsoft Outlook version I used to send 
this message. 



Part V: Application Hacking 



Figure 15-9: 

Critical 
information 
revealed in 
e-mail 
headers. 



X -Apparently ~To: 


my •-•secret~acrauntl@yahoo.com via mimmjJ)kn'xJlL.ilfidBXV Wed, 0.4 Feb 2Q04 

i_i : : 4'^ - Uc'J i_l 


Return -Path : 


<kbeaueti5 l piin dp lelogic com> 


1 >.™* 


from £crrie'jr-:e_/"-l.-.=' ?__ip_=i dd '^.7." i.EHL'. 1 J ^P_.^rnai i 1 . 1 e i;J 1 zo^r.on-^ _,el.:e'.;._ip_.sc;dre:;r.: 
by 'vah*o_ernail_.>e,rver with SMTP; Wed, 04 Feb 2004 09:39:43 -0800 


/ 1 \w 


frommy_e.T,!il_^eiv*t ([ip.sddre.^]) by ISP !_e.ma.iL server llnteetMail vM, 5,01,06.05 201- 
253-122-130-105-20030824) with ESMTP id 

< z i.hj 4u_J U41 ■■ F r 'A"_ I": 1 . I :.p e"u ^ 1 I 'Je r i.oi-fi erri h : ■ ■>= I've h " : - f~o i' 
<my~secret~account!@yahoo,com>; Wed, 4 Feb 20 04 12:39:42 -0500 


Received: 


from MY HOST NAME (Not Verified[10. 11.12, 21lfl) by mv_email„servei- with Generic SMTP 
Server vl.Oa id <B00000f611>; Wed, 04 Feb 2004 12:39:35 -0500 


Message- ID: 


< 0 00 801 c3eb4 6$ 258 927a 0$8 00 lOldf > 


From: 


"Ke«in Beaver" <kbeaverr5)Drind D lebaic. com> ?~JAdd tO Address Book 


To: 


m y ~se cret~ a ccou nt ! (glyahoo ■ corn 


Subject: 


See my headers? 


Date: 


Wed, 4Feh.2Q04 12:40;38 -0500 


MIME- Version: 


1.0 


Content-Type : 


multipart/alternative; boundary = "— -=_NextPart_000_0005_01C3EBlC.1762FAOO" 


X- Priority: 


3 


X-MSMail-Priority: 


Normal 


X -Mailer: 


Microsoft Outlook Express 6,00, 2800,1158 


X MimeOlE: 


Produced By Microsoft MraeGLE V6, 00,2800,1165 


Content- Length: 


661 



Countermeasures 

The best countermeasure to prevent information disclosures in e-mail head- 
ers is to configure your e-mail server/gateway/firewall to rewrite your e-mail 
headers, either changing the information shown or removing it altogether. 
Check your e-mail server documentation to see whether this is an option. 

If full-fledged header rewriting is not available, you may at least be able to 
prevent the sending of some critical information, such as server software 
version numbers and internal IP addresses. 

Capturing traffic 

E-mail traffic can be captured with a network analyzer or an e-mail packet 
sniffer and reconstructor. 

Mailsnarf is an e-mail packet sniffer and reconstructor. It's part of the dsniff 
package. You can get dsniff from www .monkey .org/~dugsong/dsniff (UNIX 
variants) or www . datanerds . net/~mi ke/dsni f f . html (Windows). 

If traffic is captured, a hacker can do one of the following: 

is 0 Compromise one host and potentially have full access to another adja- 
cent host, such as your e-mail server. 

Exploit known security vulnerabilities in e-mail server, e-mail client, and 
software. 

Ma(utare 

E-mail systems are regularly attacked by such malware as viruses and worms. 



Chapter 15: Messaging Systems 



I E-mail is one of the best ways for malware to propagate. Chapter 14 



covers malware. 



ipBoote 



kers often compromise systems by running e-mail services that 
t being used or that need to be updated. 



General best practices for minimizing 
e-mail security risks 

The following countermeasures help keep messages as secure as possible. 
Software solutions 

The right software can neutralize many threats: 



Use malware-protection software on the e-mail server — better, the e-mail 
gateway — to prevent malware from reaching e-mail clients. 

Apply the latest operating system and e-mail application security patches 
consistently and after any security alerts are released. 

V If it makes good business sense, encrypt messages. You can use S/MIME 
or PGP to encrypt sensitive messages or use e-mail encryption at the 
desktop level or the server or e-mail gateway. (You can use SSL/TLS 
between your e-mail client and server via P0P3S or IMAPS or between 
your e-mail gateway and remote e-mail gateways. I prefer to implement 
encryption between gateways so that the user doesn't have to be 
involved.) 

It's best not to depend on your users to encrypt messages. Use an enter- 
prise solution to encrypt messages. 



Operating guidelines 

Some simple operating rules can keep your walls high: 



Put your e-mail server behind a firewall, preferably in a DMZ that's on a 
different network segment from the Internet and from your internal LAN. 

Disable unused protocols and services on your e-mail server. 

Run your e-mail server on a dedicated server, if possible, to help keep 
hackers out of other servers and information if the server is hacked. 



i>* Log all transactions with the server in case you need to investigate mali- 
cious use in the future. 



Part V: Application Hacking 



DropBoote 



V If your server doesn't need e-mail services running (SMTP, POP3, and 
IMAP), disable them — immediately. 

Web-based e-mail such as Microsoft's Outlook Web Access (OWA), 
erly secure your Web-server application and operating system by 
using the hardening resources I mention throughout this book. 

If you're running sendmail — especially an older version — consider 
running a secure alternative, such as Postfix or qmail. 



Instant Messaging 

The hottest new technology taking networks by storm is instant messaging 
(IM). Although IM offers a lot of business value, some serious security issues 
are associated with it. This is especially true if it's not managed properly and 
end users are free to install, configure, and use it in any way they want. 



Vulnerabilities 

IM has several critical security vulnerabilities, including the following: 

i>* Name hijacking, allowing a hacker to assume the identity of an IM user 

V Launching a DoS attack on an IM client, allowing the attacker to take 
remote control of the computer 

Capturing internal IP address information (similar to the way it's dis- 
closed in e-mail headers) 

i>* Transferring malware, including viruses and malicious Trojan horses 

You can remedy most of these vulnerabilities by applying the latest software 
patches and keeping antivirus signatures up to date. However, two IM vulner- 
abilities are susceptible to malicious attack, so they deserve a little more dis- 
cussion. These affect most of the popular IM clients, including AOL Instant 
Messenger (AIM) and ICQ. These vulnerabilities are just problems with file 
sharing and log files, but these weaknesses can make all the difference in the 
world when it comes to securing your network. 

Sharing network dritfes 

The biggest problem with IM clients is the ability to share files. This feature 
may be pretty neat for home users or others with stand-alone computers, but 
it can pose a real security risk to your network and information. Practically 



Chapter 15: Messaging Systems 



pBoo^ 



every IM client gives users the ability to share both local and network files. 
Figure 15-10 shows an example of file sharing configured in AIM. 



Figure 15-10: 

File-sharing 
options 
under end- 
user control. 



.£ AOL Instant Messenger Preferences 



Category 



File Sharing 



Buddy List 1 

Privacy 

Sign On/Off 

IM/Chat 
Font 

AIM Expressions 
Buddy Icons 

Idle Message 
Away Message 

Mail 

Stock Ticker 
News Ticker 



File Transfer 
Direct I M 
Send Buddy List — 1 
Talk 
Add-lns 



Shared File Location: 



Directory from where others can get my files or I send files: 
| WCriticalS erverSH orne 



Browse... 



File Access 



r Allow only users in Buddy gfoup: |6uddres 3 
Fot useis on my Buddy List: For users not on my Buddy List: 



P Allow 
C Display Approve Dialog 
<~ Eon'tAIora 



C Allow 
f Display Approve Dialog 
<~ Dont Allow 



W ^levei rjsgay Statu: - '.'"l^n then J» n , nl- -- 
Port number to use: \ 



Cancel | Apply 



Once untrained or careless users share your network drives via their IM 
clients, they've just granted potentially anyone on their IM network permis- 
sion to view and copy those files. Figure 15-11 shows a sample of what you 
can see over the AIM network. 



Figure 15-11: 

When users 
share files 
via IM, 
others 
may see 
information 
like this. 



This is the list ol files you can get trom your buddy. Select 
the file you want and click the Get button. 



■' C3 Customer Flea 



ffiittencials.xls 

34] patient information, xls 



Size ; Modified 



42496 W20Q3 08 46PM 
27648 2/19/2002 12:07 PM 



W Check file for virus alter transfer I - Open file or folder after transfer 



Figure 15-12 shows some AIM File Transfer settings that can allow any remote 
user to place files on your network — malware and all! 



Part V: Application Hacking 



Category 
I BUJdy List - 

dBooRs 

IM/Chat 



Figure 15-12: 

Options to 
receive files 
in AOL 
Instant 
Messenger. 



A AOL Instant Messenger Preferences 



IM/Chat 




Font 




AIM Expressions 




Buddy Icons 




Idle Message 




Away Message 




Mail 




Stock Ticker 




News Ticker 




File Sharing 




Direct IM 




Send Buddy List 




Talk 




Add-lns 


• 



WARNING If you don't have anti-virus software installed on your computer, 
please install some before accepting/receiving files. 



Directory to put files I receive: 
|V\CriticalServer\PublicShaie 



Browse.. | 



Receive File Permission: 
C Reject fiom all users 

<~ Display the Approve Dialog for files from all users 

f~ Accept files from Buddies on Buddy List, display the Approve Dialog for other users 
feccepl tile: Irorn all users 



Port number to use: 



Apply 



If you know of IM users on your network, follow these steps to assess the 
security of their software and configuration: 

1. Determine IM clients that are running on your network. 

You can detect IM software with 

• Manual inspection of the local workstation 

• A third-party workstation hardware and software inventory 
program 

• A network analyzer that shows IM traffic. For instance, you can use 
Ethereal to capture and display various types of IM protocols, such 
as AOL Instant Messenger (AIM protocol), ICQ (ICQ protocol), and 
MSNMS (MSN Messenger). 

2. Install the IM clients on your own system. 

Avoid creating your own security holes: Download and install the latest 
client versions, and don't enable file sharing. 

3. Find your network's IM users. 

You can identify IM users by either looking up users with a directory 
search in the IM client (many IM clients publish this information by 
default) or asking users for their handles for all their IM clients. 

For each user, check settings to see whether they're sharing files. 

It's often just a simple right-click on their IM handle within the IM soft- 
ware to copy files to and from their system. 





Chapter 15: Messaging Systems 



DropBo 



Log files 

Many IM clients can log all IM conversations. Some clients log all conversa- 
efault. Have users enabled logging and inadvertently shared their 
ith the world? It's a smoking gun for a hacker to use! Figure 15-13 
shows part of an ICQ conversation stored in communications gobbledygook 
in a log file found in the c:\Program Fi 1 es\ ICQ folder. 




Figure 15-13: 

IM log files 
revealing 
juicy 
information. 



Insert Format Help 



- - ' 



pgl252\deff0\def langl033 < \ fonttbK \ f D\ f nil\ fcharsetO HS . 



K□^=4□□□X^R^□□ < \ rtf 1\ ana 
Sana Serif;}} 

ncolortbl ;\red21\green43\blue77; I 

\viewkind4\ucl\ pard\cf I\f0\fs22 Hey - guess ahat...got the 
financials - let me just say - sell, sell, sell your stocJt 
place... my manager and the CEO are lnsane!\par 



For Help, ptess Fl 



i tired of this 



Countermeasures 

IM vulnerabilities can be difficult to detect, because most rogue IM software 
is desktop-based. If you have a large network, checking every computer for 
these vulnerabilities is pretty much impossible. Spot checks can be inaccu- 
rate, because every desktop and every user can be different. 

Even if you disallow IM — or any messaging software — on your network, users 
always install it. If you implement these countermeasures, you're better pre- 
pared to protect your users from themselves and hackers. 

detecting IM traffic 

In addition to a network analyzer, you can detect IM traffic by using the fol- 
lowing tools: 

i>* IM traffic-detection tools from Akonix (www . a kon i x .com) work like a 
network analyzer. 

Rogue Aware (www . a kon i x . com/products /rogueaware. asp) is a free 
tool. As shown in Figure 15-14, Rogue Aware detects such traffic on the 
network as IM and other P2P communications (such as Kazaa and 
Gnutella) and file sharing on the network. I recommend that you check it 
out and use this tool as part of your ethical hacking toolkit. Ideally, you 
install it on a computer that's connected to a monitor port on a switch 
or a hub adjacent to your firewall to ensure that you see all the traffic. 



Part V: Application Hacking 



DBOi 



Figure 15-14: 

Akonix 
Rogue 
Aware 
detects IM 
logins and 
file sharing. 



\u3 










1 


IM Activity 


P2P Activity 


Help 




— — 


Summary 


Detail 










Akonix RogueAware 


- IM Activity Summary 


I o Uate 


AUL 


ILL) 


MSN 


rahoo 


lotal 


Logins 


2 


2 


0 


0 


4 


Messages Sent 


4 


□ 


0 


0 


4 


Messages Received 


0 


0 


0 


0 


0 


Files Sent 


10 


0 


0 


0 


10 


Files Received 


10 


0 


0 


0 


10 


Today 


AOL 


ICQ 


MSN 


Yahoo 


Total 


Logins 


2 


2 


0 


0 


4 


Messages Sent 


4 


0 


0 


0 


4 


Messages Received 


0 


0 


0 


0 


0 


Files Sent 


10 


0 


0 


0 


10 


Files Received 


10 


0 


0 


0 


10 



i>* Akonix's Enforcer and L7 Enterprise are commercial utilities that have 
more functionality. Other vendors offer similar solutions, such as FaceTime 
Communications (www . facet i me . com) and IM Logic (www . i ml ogi c . com). 
If you can justify the cost — which is relatively easy — I recommend that 
you check these products out. 

Desktop auditing utilities can show you which applications are installed 
and their specific settings. Such products as Ecora's Enterprise Auditor 

(www . ecora . com/ecora/products/enterpri se_audi tor . asp), 
Microsoft's Systems Management Server (www . mi crosof t . com/ 
smserver/default.asp) and some lower-end shareware tools can 
offer this type of functionality. 

Maintenance and configuration 

In addition to the tools listed in the previous section, you can implement 
these IM hacking countermeasures: 

f* User behavior: 

• Have a policy banning or limiting the usage of all P2P software. 

• Instruct users not to open file attachments or configure their IM 
software to share or receive file attachments. 

• Instruct users to keep their buddy lists private and not share their 
information. 



Chapter 15: Messaging Systems 



System configuration: 



DropBooks 



• Change default IM software installation directories to help elimi- 
nate automated attacks. 



Apply all the latest IM software patches. 



• Ensure that the latest antivirus software and personal-firewall soft- 
ware is loaded on each instant-messaging client. 

• Ensure that proper file and directory access controls are in place 
to effectively give your users the minimum necessary rights for 
their jobs. This countermeasure helps keep prying eyes out if 
someone can exploit an IM vulnerability. 

• If you allow IM on your network for business purposes, consider 
standardizing an enterprise-based IM application such as Jabber or 
Lotus Sametime. These applications have more-robust and manage- 
able security options, which can ensure control. 



Part V: Application Hacking 



DropBooks 



DropBooks 



Chapter 16 



Web Applications 



In This Chapter 

Attacking Web applications 
Countering application hacking 




MM/ eb applications, like e-mail, are common hacker targets because 
WW they're everywhere and often open for anyone to poke around in. Basic 
Web sites used for marketing, contact information, document downloads, and 
so on are a common target for hackers — especially the script-kiddie types — 
to deface. However, for criminal hackers, Web sites that store valuable infor- 
mation, like credit-card and Social Security numbers, are especially attractive. 
This is where the money is, so to speak. 

Why are Web applications so vulnerable? The general consensus is they're 
vulnerable because of poor software development and testing practices. 
Sound familiar? It should, because this is the same problem that affects oper- 
ating systems and practically all computer systems. This is the side effect of 
relying on software compilers to perform error checking, lack of user demand 
for higher-quality software, and emphasizing time-to-market instead of secu- 
rity and stability. 

This chapter presents Web application hacks to check on your systems. You 
can test for literally thousands of vulnerabilities, but I focus on the ones I see 
most often. I also outline countermeasures to help minimize the chances that 
a hacker can carry out these attacks against your Web applications. 



Web-Application Vulnerabilities 



Hacker attacks against insecure Web applications — via Hypertext Transfer 
Protocol (HTTP) — make up the majority of all Internet-related attacks. Most 
of these attacks can be carried out even if the HTTP traffic is encrypted (via 
HTTPS or HTTP over SSL) because the communications medium has nothing 
to do with these attacks. The security vulnerabilities actually lie within either 
the Web applications themselves or the Web server and browser software 
that the applications run on and communicate with. 



Part V: Application Hacking 



Many attacks against Web applications are just minor nuisances or may not 
affect confidential information or system availability. However, some attacks 
m^k havoc on your systems. Whether the Web attack is against a basic 
^Jware site or against the company's most critical customer server, 
attacks can hurt your organization. 



DropBoGK 

these 



Choosing \lour Tools 

Freeware and commercial tools can help ensure that your tests are compre- 
hensive and minimize your testing time. All these tools basically work the 
same way, with such capabilities as scanning for script vulnerabilities, testing 
for invalid user input, and viewing critical files. 

My favorite tools are Nikto (www .cirt.net/code/nikto.shtml), Nessus 
(www . nessus . org), and SPI Dynamics' Weblnspect (www . s pi dynami cs . com). 
These certainly are not the only tools available. It's still a young market for 
commercial tool vendors, so keep your eyes peeled for emerging products. 



Insecure Login Mechanisms 

Many Web sites require users to login before they can do anything with the 
application. These login mechanisms often do not handle incorrect user IDs 
or passwords gracefully. They often divulge too much information that a 
hacker can use to gather valid user IDs and passwords. 



Testing 

To test for insecure login mechanisms, browse to your application and login 
in the following ways: 

1 Using an invalid user ID with a valid password 

\* Using an valid user ID with an invalid password 
1 Using an invalid user ID and password 

After you enter this information, the Web application probably responds with 
a message like Your user ID is i nval i d or Your password is invalid. 
The Web application may also return a generic error message, such as Your 
user ID and password combination is i nva 1 i d and, at the same time, 
return different error codes in the URL for invalid user IDs and invalid pass- 
words, as shown in Figures 16-1 and 16-2. 



Chapter 16: Web Applications 



281 



n rrM^Jn^/^B^^dY hacking Web applications 
UrupDUUFvb W ith Caleb Sima 



In this case study, Caleb Sima, a well-known 
penetration-testing expert, shared an experi- 
ence performing a Web-application security 
test. Here's his account of what happened. 

The Situation 

Mr. Sima was hired to perform a Web-applica- 
tion penetration test to assess the security of a 
well-known financial Web site. Equipped with 
nothing more than the URL of the main financial 
site, Mr. Sima set out to find what other sites 
existed for the organization and began by using 
Google to search for possibilities. He initially ran 
an automated scan against the main servers to 
discover any low-hanging fruit. This scan pro- 
vided information on the Web-server version 
and some other basic information, but nothing 
that proved useful without further research. And 
while Mr. Sima performed the scan, neitherthe 
IDS nor the firewall noticed any of his activity! 
Then he issued a request to the server on the 
initial Web page, which returned some interest- 
ing information. The Web application appeared 
to be accepting many parameters, but as he 
continued to browse the site, he noticed that the 
parameters in the URL stayed the same. He 
decided to delete all the parameters within the 
URL to see what information the server would 
return when queried. The server responded 
with an error message describing the type of 
application environment. 

Next, Mr. Sima performed a Google search on 
the application that resulted in some detailed 
documentation. He found several articles and 
tech notes within this information that showed 
him how the application worked and what 
default files might exist. In fact, the server had 
several of these default files. He used this infor- 
mation to probe the application further. He 
quickly discovered internal IP addresses, as 
well as what services the application was offer- 
ing. Now that he knew exactly what version the 



admin was running, he wanted to see what else 
he could find. 

Mr. Sima continued to manipulate the URL from 
the application by adding & characters within 
the statement to control the custom script. This 
allowed him to capture all source codes files! 
He noted some interesting filenames, including 
Veri fy Logi n . htm, Appl i cati onDetai 1 . 
htm, CreditReport.htm, and Change 
Password . htm. Then he tried to connect to 
each file by issuing a specially formatted URLto 
the server. The server returned a User not 
logged in message for each request and stated 
that the connection must be made from the 
intranet. 

The Outcome 

Mr. Sima knew where the files were located 
and was able to sniff the connection and deter- 
minethatthe Appl i cati onDetai 1 . htmfile 
set a cookie string. With little manipulation of 
the URL, he hit the jackpot! This file returned 
client information and credit cards when a new- 
customer application was being processed. 
CreditReport.htm allowed him to view 
customer credit-report status, fraud informa- 
tion, declined-application status, and a multi- 
tude of other sensitive information. The lesson 
to be learned: Hackers can utilize many types of 
information to break through Web applications. 
The individual exploits in this case study were 
minor, but when combined, they resulted in 
severe vulnerabilities. 

Caleb Sima was a charter member of the X-Force 
team at Internet Security Systems and the 
first member of the Penetration Testing team. 
He went on to co-found SPI Dynamics (www. 
spi dynami cs . com) and become its CTO, as 
well as director of SPI Labs, the application-secu- 
rity research and development group within SPI 
Dynamics. 



Part V: Application Hacking 



DropBooR$ 



Figure 16-1: 

A login 
error in 
the URL for 
an invalid 
user ID. 



*J Login Error - Microsoft Internet Explorer 



File Edit View Favorites Tools Help ■ 
^ J±\ 41 '^Search ^Favorites 0Media -J) | i^- # @J 3 



d://10. 1 1 , 12,2/cgi-bin/password,cgi?loginerror=100 



~3 &<■ 



~3| &5earchWeb - fljseardvate £2 @. 



ERROR! 



Your user ID and password combination is invalid. Please 
try again. 



e) Done 



TV 



£ Internet 



— I 



Figure 16-2: 

A login 
error in 
the URL for 
an invalid 
password. 



J Login Error - Microsoft Internet Explorer 



File Edit View Favorites Tools Help 



^Back » ■+ - d jj d$ I ^Search ^JFavorites ^jMedia ,J J^,- ,J 3 15] 



Address | http://10.ll. 12. 2/cgi-bin/password.cgi?loginerror=2^0 



Google- |~ 



~3 t* 50 



"3 (ftSearchWeb - SJseaift, 3fe £5 ^ | 0 



ERROR! 



Your user ID and password combination is invalid. Please 
try again. 



ej Done 



0 Internet 



In either case, this is bad news, because the application is telling you not only 
which parameter is invalid, but also which one is valid. This means that the 
hackers now know either a good user name or password — their work has 
been cut in half! If they know the username (which usually is easier to guess), 
they can simply write a script to automate the password-cracking process, and 
vice versa. They can also use a remote Web login-cracking tool, such as Brutus 
(www . hoobi e . net/brutus), to attempt to break in, using a preconfigured file 
with user IDs and passwords, or even use it to perform brute-force attacks. 



Chapter 16: Web Applications 



Countermeasures 



pBook 



implement the following countermeasures to prevent hackers from 
g weak login systems in your Web applications: 




Any login errors that are returned to the end user should be as generic 
as possible, saying something like Your user ID and password com- 
bination is invalid. 

V The application should never return error codes in the URL that differen- 
tiate between an invalid user ID and invalid password, as shown in 
Figures 16-1 and 16-2. 

If a URL message must be returned, the application should keep it as 
generic as possible. Here's an example: 

www .your_Web_app .com/login.cgi?success=false 

This URL message may not be as convenient to the user, but it helps 
hide the mechanism and the behind-the-scenes actions from a hacker. 



Directory Traversal 

A directory traversal is a really basic attack, but it can turn up interesting 
information about a Web site. This attack is basically browsing a site and 
looking for clues about the server's directory structure. 



Testing 

Perform the following tests to determine information about your Web site's 
directory structure. 



robots.txt 

Start your testing with a search for the Web server's robots . txt file. This 
file tells search engines which directories not to index. Thinking like a hacker, 
you may deduce that the directories listed in this file may contain some infor- 
mation that needs to be protected. Figure 16-3 shows a robots . txt file that 
gives away information. 



Part V: Application Hacking 



pBo£l 



Figure 16-3: 

A Web 
server's 
robots . 
txt listing. 



| File Edit View Favorites Tods Help 




| 4^ack « * - £ |g £ '^Search jiJFavorites ^Media J &g [§ £ (§■ 






(J&Search Web - fljSearch-Slte £2 1 & 


PageRank gibbeted f]- » 


^'^ANolmiSffmEciioNis: IS] €339 5 " ousron QMSj 


-1 d -1 



/cgi-bin 
/ linages 



/oldapp 



Confidential files on a Web server may have names like those of publicly acces- 
sible files. For example, if this year's product line is posted as www .your_Web_ 
app.com/productl ine2004.pdf, confidential information about next year's 
products may be www .your_Web_app . com/productl i ne2005 . pdf . 

A user may place confidential files on the server without realizing that they 
are accessible without a direct link from the Web site. 



Cratffers 

A spider program like BlackWidow (www . sof tbytel abs . com/Bl ackWi dow) 
can crawl your site to look for every publicly accessible file. Figure 16-4 
shows the crawl output of a basic Web site. 

Complicated sites often reveal more information that should not be there, 
including old data files and even application scripts and source code. 



Figure 16-4: 

Using 
BlackWidow 
to crawl 
a Web site. 



File Edit Settings View Folder List Help 

e=|y| ssl <|>l»| fl|< 



Site URL : | http: //1 0.11.1 2.2/ 



T 



£S http:// 
H €3 10.11.12.2 

; ~l images 



IBFiewal E Practice; pd 



J- 



ModJied | Type 



| Title | Fiom 



6/24/2003 9 05 48 AM app«catcn/odl 



gHIPA^FAOodt 129.190 5/14/2003 101936AM applcatnn/pdl 

TOHIPAA_Securty_Rute_FAQ pdr 132.653 5/14/2003 10 00 44AM appicaton/pdt 

B p assw°'d_Best_P'3acespdl 222.113 5/14/2003 1O2029AM applcabon/pdt 

@Sample_HIPAA_Seeuiiiy_0(hc . 99.497 5/14/2003 1019:58AM applcabori/pdl 

g5 T he_Case_f or_lr*ormabon_Sec 1 02.486 5/14/2003 10 19 23 AM apptcation/pdf 



http//1C11 122/iesouices html 
http.//1011 122/ho8a _ Wml 
Ntp//1tt11 122/hpaahtml 
htlp//1 0.1 1.12 2/resources html 

http //!□ 1 1 12 2/resources html 



Status: ' Done Elapsed: 00:00:03 

0 Selected, 0 Byte 4 fddeis, 60 Hies. 1 ,024,304 Bytes 



Look at the output of your crawling program to see what files are available. 
Regular HTML and PDF files are probably okay, because they're most likely 
needed for normal Web-application operation. But it wouldn't hurt to open 
each file to make sure it belongs. 



Chapter 16: Web Applications 283 



Countermeasures 



DropBoofe 



^mploy two main countermeasures to having files compromised via 
fs directory traversals: 




v 0 Don't store old, sensitive, or otherwise nonpublic files on your Web 
server. The only files that should be in your /htdocs or DocumentRoot 
folder are those that are needed for the site to function properly. These 
files should not contain confidential information that you don't want the 
world to see. 

f" Ensure that your Web server is properly configured to allow public 
access only to those directories that are needed for the site to func- 
tion. Minimum necessary privileges are key here, so provide access only 
to the bare-minimum files and directories needed for the Web applica- 
tion to perform properly. 

Check your Web server's documentation for instructions to control 
public access. Depending on your Web-server version, these access con- 
trols are set in 

• The httpd.conf file and the .htaccess files for Apache 

Refer to httpd.apache.org/docs/configuring. html for more 
information. 

• Internet Information Services Manager settings for Home Directory 
and Directory (IIS 5.1) 

• Internet Information Services Manager settings for Home Directory 
and Virtual Directory (IIS 6.0) 



The latest versions of these Web servers have good directory security by 
default, so if possible, make sure you're running the latest versions: 



V Check for the latest version of Apache at httpd.apache.org. 
The most recent version of IIS (for Windows Server 2003) is 6.0. 



Input Filtering 

Web applications are notorious for taking practically any type of input, 
assuming that it's valid, and processing it further. Not validating input is one 
of the greatest mistakes that Web-application developers can make. This can 
lead to system crashes, malicious database manipulation, and even database 
corruption. 



Part V: Application Hacking 



Input attacks 




jttacks can be run against a Web application that insert malformed 
iften, too much at once — which can confuse, crash, or make the 



Web application divulge too much information to the attacker. 
Buffer overflows 

One of the most serious input attacks is a buffer overflow that specifically 
targets input fields in Web applications. 

For instance, a credit-reporting application may authenticate users before 
they're allowed to submit data or pull reports. The login form uses the follow- 
ing code to grab user IDs with a maximum input of 12 characters, as denoted 
by the maxsi ze variable: 

<form name="Webauthenti cate" acti on="www.your_Web_app.com/l ogi n.cgi " 
method="POST"> 

<input type="text" name="inputname" maxsize="12"> 



A typical login session would be presented a valid login name of 12 charac- 
ters or less. However, hackers can manipulate the login form to change the 
maxs i ze parameter to something huge, such as 100 or even 1,000. Then they 
can enter bogus data in the login field. What happens next is anyone's call — 
they may lock up the application, overwrite other data in memory, or crash 
the server. 

Automated input 

An automated-input attack is when a malicious hacker manipulates a URL and 
sends it back to the server, directing the Web application to add bogus data 
to the Web database, which can lead to various DoS conditions. 

Suppose, for example, that you have a Web application that produces a form 
that users fill out to subscribe to a newsletter. The application automatically 
generates e-mail confirmations that new subscribers must respond to. When 
users receive their e-mail confirmations, they must click a link to confirm their 
subscription. Users can tinker with the hyperlink in the e-mail they received — 
possibly changing the username, e-mail address, or subscription status in the 
link — and send it back to the server hosting the application. If the Web server 
doesn't verify that the e-mail address or other account information being sub- 
mitted has recently subscribed, the server will accept practically anyone's 
bogus information. The hacker can automate the attack and force the Web 
application to add thousands of invalid subscribers to its database. This can 
cause a DoS condition on the server or the server's network due to traffic over- 
load, which can lead to other issues. 



Chapter 16: Web Applications 287 




I don't necessarily recommend that you carry out this test in an uncontrolled 
fashion with an automated script you may write or download off the Internet. 
Itaad^you may be better off carrying out this type of attack with an auto- 
l^dyt^sting tool ,such as Weblnspect or, or one of its commercial equiva- 
lents, such as Sanctum's AppScan (www . sanctumi nc .com). 



Code injection 

In a code-injection attack, hackers modify the URL in their Web browsers or 
even within the actual Web-page code before the information gets sent back 
to the server. For example, when you load your Web application from www . 
your_Web_app .com, it modifies the URL field in the Web browser to some- 
thing similar to the following: 



http://www.your_Web_app.com/scri pt .php?i nfo_vari able=X 



Hackers, seeing this variable, can start entering different data into the 

i nf o_vari abl e field, changing X to something like one of the following lines: 



http:// www.your_Web_app.com/script.php7info_variable-Y 



http:// www.your_Web_app.com/script.php7info_variable-123XYZ 



The Web application may respond in a way that gives hackers more informa- 
tion — even if it just returns an error code — such as software version num- 
bers and details on what the input should be. The invalid input may also cause 
the application or even the server itself to hang. Similar to the case study ear- 
lier in the chapter, hackers can use this information to determine more about 
the Web application and its inner workings, which can ultimately lead to a 
serious system compromise. 

Code injection can also be carried out against back-end SQL databases — an 
attack known as SQL injection. Hackers insert rogue SQL statements to attempt 
to extract information from the SQL database that the Web application inter- 
acts with. Microsoft has a good Web site dedicated to Microsoft SQL Server 
security, including Slammer prevention and cleanup, at www . mi crosof t . com/ 
sql/techinfo/administration/2000/security/sl ammer . asp. Also check 
out the popular and effective Shadow Database Scanner at www . s a f ety - 1 a b . 
com/en/products/6.htm. 



Hidden field manipulation 

Some Web applications embed hidden fields within Web pages to pass state 
information between the Web server and the browser. Hidden fields are repre- 
sented in a Web form as <i nput type=" hi dden">. Due to poor coding prac- 
tices, hidden fields often contain confidential information (such as product 
prices for an e-commerce site) that should be stored only in a back-end data- 
base. Users should not be able to see hidden fields — hence, the name — but 
the curious hacker can discover and exploit them with these steps: 



Part V: Application Hacking 



1. Save the page to the local computer, 
v the HTML source code. 

ee the source code in Internet Explorer, choose ViewOSource. 

3. Change the information stored in these fields. 

For example, a hacker may change the price from $100 to $10. 

4. Re-post the page back to the server. 

This allows the hacker to obtain ill-gotten gains, such as a lower price on 
a Web purchase. 

Cross-site scripting 

Cross-site scripting (XSS) is a well-known Web application vulnerability that 
occurs when a Web page displays user input — via JavaScript — that isn't 
properly validated. A hacker can take advantage of the absence of input filter- 
ing and cause a Web site to execute malicious code on any user's computer 
that views the page. 

For example, an XSS attack can display the user ID and password login page 
from another rogue Web site. If users unknowingly enter their user IDs and 
passwords in the login page, the user IDs and passwords are entered into the 
hacker's Web server log file. Other malicious code can be sent to a victim's 
computer and run with the same security privileges as the Web browser or 
e-mail application that's viewing it on the system; the malicious code could 
provide a hacker with full read/write access to the entire hard drive! 




A simple test shows whether your Web application is vulnerable to XSS. Look 
for any parts of the application that accept user input (such as a login field or 
search field), and enter the following JavaScript statement: 



<scri pt>al ert( ' You have been scri pted ' )</scri pt> 

If a window pops up that says You have been scri pted , as shown in 
Figure 16-5, the application is vulnerable. 



DrorifesoKs 



Figure 16-5: 

A sample 
JavaScript 
pop-up 
window. 




Chapter 16: Web Applications 



Countermeasures 



)pBocte 



ications must filter incoming data. The applications must check and 
at the data being entered fits within the parameters of what the appli- 
cation is expecting. If the data doesn't match, the application should generate 
an error and not permit the data to be entered. The first input validation of the 
form should be matched up with an input validation within the application to 
ensure that the input parameter meets the requirement. 



Developers should know and implement these best practices: 

i>* To reduce hidden-field vulnerabilities, Web applications should never 
present static values that the Web browser and the user don't need to 
see. Instead, this data should be implemented within the Web applica- 
tion on the server side and retrieved from a database only when needed. 

W To minimize XSS vulnerabilities, the application should filter out <scri pt> 
tags from the input fields. 

You can also disable JavaScript in the Web browser on the client side as 
an added security precaution. 

Some secure software coding practices can eliminate all these issues from 
the get-go if they're made a critical part of the development process. 



Default Scripts 

Poorly written Web programs, such as Common Gateway Interface (CGI) and 
Active Server Pages (ASP) scripts, can allow hackers to view and manipulate 
files on a Web server that they're not authorized to access, as well as upload 
tons of files that can eventually fill the Web server's hard drive. Attacks such 
as the Poison Null attack and Upload Bombing attack against vulnerable CGI 
scripts written in Perl permit unauthorized access. 



Attacks 

Default script attacks are common because so many poorly written scripts 
are floating around the Internet. Hackers can also take advantage of various 
sample scripts that install on Web servers — especially older versions of 
Microsoft's IIS Web server. 




Many Web developers and Webmasters use these scripts without under- 
standing how they really work or testing them, which can introduce serious 
security vulnerabilities. 



Part V: Application Hacking 




\\V ^ Some poorly written scripts contain confidential information, such as user- 
"""" names and passwords! To test for this, you can peruse scripts manually or 
•^ska te^t search tool — such as the Search function built into the Windows 
jcfr\^^iu or the find program in Linux or UNIX — to find any hard-coded 
usernames and passwords. Look for such words as admin, root, user, ID, 
login, password, pass, and pwd. 

Confidential or critical information that's embedded in scripts like this is rarely 
necessary and is often the result of poor coding practices — convenience over 
security 



Countermeasures 

You can help prevent attacks against default Web scripts: 




Know how scripts work before deploying them within a Web application. 

Make sure that all default or sample scripts are removed from the Web 
server before using them. 

Don't use scripts that have confidential information that's hard coded. 
They're a security incident in the making. 



URL f ilter Bypassinq 

It's possible for internal employees to bypass Web-content filtering applica- 
tions and logging mechanisms to browse to sites that they shouldn't go to — 
potentially covering up malicious behavior and Internet usage. 



Bypassing fitters 

Malicious employees bypass URL filtering mechanisms by using proxy servers, 
tunneling Web traffic over nonstandard ports, spoofing IP addresses, and so 
on. But an even-easier hack is to exploit the general mechanism built into URL 
filtering systems that filter Web traffic based on specific URLs and keywords 
(words that match a list or meet a certain criteria). Users take advantage of 
this practice by converting the URL to an IP address and then to its binary 
equivalent. The following steps can bypass URL filtering in such browsers as 
Netscape and Mozilla: 

1. Obtain the IP address for the Web site. 



Chapter 16: Web Applications 





.J0KK 





For example, a gambling Web site (www .go-gamblin .com) blocked in 
Web-content filtering software has this IP address: 

IV 22. 33. 44 

is is an invalid public address, but it's okay for this example; you may 
want to filter out Web addresses on your internal network as well. 

2. Convert each individual number in the IP address to an eight-digit 
binary number. 

Numbers that may have fewer than eight digits in their binary form must 
be padded with leading zeroes to fill in the missing digits. For example, 
the binary number 1 is padded to 00000001 by adding seven zeroes. 

The four individual numbers in the IP address in Step 1 have these 
equivalent eight-digit binary numbers: 

10 = 00001010 
22 = 00010110 
33 = 00100001 
44 = 00101100 

The Windows Calculator can automatically convert numbers from deci- 
mal to binary notation: 

i. Choose ViewOScientific. 

ii. Click the Dec option button. 

iii. Enter the number in decimal value. 

iv. Click the Bin option button to show the number in binary format. 

3. Assemble the four 8-digit binary numbers into one 32-digit binary 
number. 

For example, the complete 32-digit binary equivalent for 10.22.33.44 is 

00001010000101100010000100101100 

Don't add the binary numbers. Just organize them in the same order as 
the original IP address without the separating periods. 

4. Convert the 32-digit binary number to a decimal number. 

For example, the 32-digit binary number 

00001010000101100010000100101100 equals the decimal number 
169222444. 

The decimal number doesn't need to be padded to a specific length. 



Part V: Application Hacking 



5. Plug the decimal number into the Web browser's address field, like 
this: 



d Boo ks tp 7 69222444 

l t &!LSty The Web page loads easy as pie! 

The preceding steps won't bypass URLs in Internet Explorer. 




Countermeasures 



If the bypassing of certain Web-content filters is an issue for your network, 
ask your content-filtering vendor if it has a solution. 



Automated Scans 

Automated application-security-assessment tools can find vulnerabilities 
within a Web application that are next to impossible to find otherwise. 




You can't solely rely on automated tools to test your Web applications. But I 
can't imagine comprehensive security testing without them. 



Nikto 

Figure 16-6 shows the partial results of a Nikto scan against a default IIS 5.0 
installation. This scan found that the remote scripts directory is browsable 
and that the server is vulnerable to XSS. It also identified default scripts. 
Nikto found 16 potential vulnerabilities out of the 2,000 items checked. 



Weblnspect 

Figure 16-7 shows the output of a Weblnspect scan against the default IIS 5.0 
installation. This scan found XSS vulnerabilities, the HS-specific Microsoft 
Data Access Components, and the null . pri nter vulnerabilities. Weblnspect 
found a total of 208 potential vulnerabilities out of the 3,000 items checked. 



Chapter 16: Web Applications 



DBOi 



Figure 16-6: 

The results 
of a Nikto 
Web 
application 
scan. 




3 N >l<to Results - Microsoft 



FSe Edit View Favorites Tools Help 

1 - @ !D £ I ^Search [$jFavorltes r^Medta (J | ^ # |S> 3 , 



Nikto vl.32/1.19 

CIRTjiet 



TareetlP: 10.11 12.206 
Target Hostname: 10.11.12.206 
Target Port: 80 

StartTanc:SatJanl7 17:38:132004 



Server: Micro soft-TJS/5.0 

Allowed HTTP Methods. OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK 

HTTP method 'PROPFIND' may indicate DAWWebDAV is installed. This may be used to get directory listings if indexing is allowed but a default page exists. 
HTTP method 'SEARCH' may be used to get directory listings if Index Server is running. 
HTTP method 'TRACE' is typically only used for debugging It should be disabled. 
Microsoft-HS/5. 0 is outdated if server is Win2000 (4. 0 is current for NT 4) 
/ - Appears to be a default US install. (GET) 

/ - TRACE option appears to allow XSS or credential theft. See http.//www. c gi s e c nr if v ' . l: ■ : ■ itL'' vv 1 u t e i ^ ,l • r : n: r ■ ■; ■'~"-ni;-::T ,:;ti i ^ ;:" [■. i <k:\\\b .221' ACE-'. 

I - TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See iittp^v."/.".-.' ..^i-uiniY ^>iu'\viut^li;ii:-i:iiii'.'i.^nutel^>rr ;i.nrrM.:.-.lf for details 
(TRACK) 

/scripts - Redirects to hit;: .''I ; II [2 2 "■ V^.;:;. is/ . Remote scripts directory is browsable. 

■li.;.i;i:t-^l..J1:Au:|, i ': :-. ^■.■■Jr l ; v..- £ - A -; r , - This is a default US scnptffile which should be removed. CAN- 1999-0738 . MS99-013 . (GET) 

^l>'j'JLv;l:|.'' : .-. ::/-.y.k- ; . .;:■].- - US n vines witii an A SI' that allows remote code to viewed. All default files in /TiSSamples should be removed. 



CAN- -.ry-i. MS99-013 . (GET) 



iizzzzzzzzz d. html - The IIS server may be vulnerable to Cross Site Scripting (XSS) in error messages, ensure Q3 19733 is installed, see ?■ j-018 , CVE- 
2002-0075 , SNS-49, CA-2002-09 (GET) 



■'i:r;-i'.ii. 1 . ' ' ■ .% 'J ' - -222 ■ \-v^ru il . l: v ^ i :i:i.:-2 ■ _ j : j :H . -r- lu + . ■ -,:~r - May be able to issue arbitrary commands to host. (GET) 
/msadc/msadcs.dll - See RDS advisory RFP9902. CVE-l:-.v-: : LL l-iC?2-004 . MS99-025 RFP-9902 BTD-29 

v:-d-.-\\:-,. b. .'].- :. .- . -i:.'Cj,j[ ' : ,\ A _)_ '~'IA'~' .'-054 ■ 'y.-vy,' ,i. iL j ■_ : ^ll '"L-i :.1-.-:u._ ■'- -Of-! ■ iiiiiil vr^v.stiunhiorm r-jirAvil'j'29 (GET) 



; 2uJb. : ..:.u:: - Frontpage I'Mmfer 2 21 has been found FI 1 Server "rrsi'Mi r C allows remote users to execute arbitrary system cornnian ■:!_-. though a 
vulnerability in mis version could not be confirmed CAN- 1999- 1376 . BID-2252 . (GET) 

Z_vli_biri/shtml.dll/_vti_ipc7memod=server4version%3a4%2e0%2e2%2e261 1 - Gives info about server s 
111 ■ -l'T. . BLO-lo'.io' . ETT-1174 . (POST) 

'I 



. ^'aIT-I'uul-luIJ . ■-AI^I-2'L'lili-i;)709 . CAN- 



^ Local ,^ 06;3Ii51P " 



Figure 16-7: 

The results 
of a 

Weblnspect 
Web- 
application 
scan. 



File Edit View Tools Help 

~J few... D 0 ► li B Aydlt 

- 0(J / 



BQ (Query)L ; ioiptL.Eirigu.igeFiefirrence=35cript 
0 :>>Ji?r ■•i: , iptL="igi.jegeHie ; erer ce ■ ■ ' .■ "l: _ ■ ■: : i p r 



t Policy Manager ^Report.. 
Session Properties 



[j ' Export ^) Scheduler /? Smart Update 



ffl BQ- 

0Qj 

BO _vti_iog 

BO _vti_pvt 

BO _vti_tit 

BO "sadmin 
B BO i«belp 

- BO ii samples 

B _l homepage 
+ BO^dk 

B** 4 .global. asa 

B*** .global. asa 

B*"» -global, asa 

B«"» Copy^Oofo^Oglobal.asa 

B*"* global.asa 

B*"* Shortcut%2Oto%20global.a 
BO images 

- 0 ■ msadc 

B** msadizs.dll 

BO 5c,i P ts 

|7ir~1 web pub 

B J ld':at>l:ait,a>p 
B** null. printer 
B*"» TRACE X5S check 



Vulnerability 

0 Web Browser 
HTTP Request 
HTTP Response 

(?) Show Detals 

@ Show Links 

(5) Show Comments 

(3) Show Text 



Show Hiddens 
5how Forms 
HTTP Editor 



<J_ 

Rsk 
- 



i 



Alerts Information Scan Log . 
Scan Saved. 



Multiple Vulnerabilities Were Found: 



ry: Directory ( private) 



Vulnerability ID: 3569 

FrontPage Directory: /_private/ 

Restrict access to important directories or files. 
Apache: 

Security Tips for Server Configuration 
Protecting Confidential Documents at Your Site 
Securing Apache - Access Control 

IIS: 

Implementing NTFS Standard Permissions on Your Web Site 



~3r 



I Description 

E Possible Bracket Double Quote Cross- Site Scripting (Single Quote) 

ffi Possible IMG-Tag Embedded Javascript Cross- Site Scripting 

3 Possible Comment Injection Cross-Site Scripting 

SI Frontpage Server Extensions author, exe DOS Attack 

S Certificate Host Check 

83 ASP Runtime Error Message 

1 App'icabori Liroi Message 



Part V: Application Hacking 



General Best Practices for Minimizing 
\^XO^MibQ^0ication Security Risks 

Keeping your Web applications secure requires ongoing vigilance from an 
ethical hacking perspective and from your Web-application developers and 
vendors. Keep up with the latest hacks and testing tools and techniques. 



Obscurity 

The following forms of security by obscurity can help prevent automated 
attacks from worms or scripts that are hard-coded to attack specific script 
types or default HTTP ports. 

To protect Web applications and related databases, use different 
machines to run each Web server, application, and database server. 

The operating systems on these individual machines should be tested 
for security vulnerabilities and hardened based on best practices and 
the countermeasures. in Chapter 11 (Windows), Chapter 12 (Linux), and 
Chapter 13 (NetWare). 

Use built-in Web-server security features to handle access controls and 
process isolation, such as the application-isolation feature in IIS 6.0. 

This helps ensure that if one Web application is attacked, it won't neces- 
sarily risk any other applications running on the same server. 

f* If you're concerned about platform-specific attacks being carried out 
against your Web application, you can trick the attacker into thinking 
the Web server or operating system is something completely different. 
Here are a few examples: 

• If you're running a Microsoft IIS server and applications, you may 
be able to rename all your ASP scripts to have a . c g i extension. 

• If you're running a Linux Web server, use a program such as IP 
Personality (i ppersona 1 i ty . sourcef orge .net) to change the 
OS fingerprint so the system looks like it's running something else. 

Change your Web application to run on a nonstandard port. Change 
from the default HTTP port 80 or HTTPS port 443 to a high port number, 
such as 8877. 

Don't rely on obscurity alone; it isn't foolproof. A dedicated hacker may be 
able to determine that the system isn't what it claims to be. 





Chapter 16: Web Applications 



295 



DropBo 



Fireu/atts 




lflte using these Web-application firewalls to protect your systems and 
rm*Snon: 

is* A network-based firewall that can detect and block attacks against Web 
applications. 

• Commercial firewalls are available from such companies as 
NetScreen (www . netscreen . com), TippingPoint Technologies (www . 
ti ppi ngpoi nt . com), and Check Point (www . checkpoi nt . com). 

• An open-source firewall project called CodeSeeker is maintained by 
OWASP (www .owasp.org/development/codeseeker). 

v 0 Host-based Web-application intrusion-prevention applications such as 

• BlacklCE — my all-time-favorite software application 

• Ubizen DMZ/Shield Enterprise (www . ubi zen . com) 

• Eeye SecurellS (www . eeye .com) 

• McAfee Entercept (www . nai . com) 

These programs can detect Web-application attacks in real time and cut 
them off before they have a chance to do any harm. 

«>* Find security holes in Web applications before they're deployed. Use 
a third-party code-examiner expert or an automated tool, such as 
Flawfinder (www .dwheeler.com/flawfinder), ITS4 (www . ci gi tal . 
com/i ts4), and RATS (www . secures of tware . com/ audi ti ng_tool s_ 
down! oad . htm) 



Software development is where security holes begin and should end — but 
rarely do. If you can influence your Web developers, you can really make a 
difference in the security of your Web applications by encouraging secure 
development practices from the start. See Appendix A for resources. 



Part V: Application Hacking 



DropBooks 



Part VI 

DropBook|thical Hacking 

Aftermath 



The 5 th Wave B v Rich Tennant 




DropBooks 



In this part . . . 



f M yen, now that the hard — or at least technical — stuff 
▼ ▼ is over with, it's time to pull everything together, 
fix what's broken, and establish some good practices to 
move forward with. 



First off, this part covers reporting the vulnerabilities you 
discovered to help get upper management buy-in and 
(more) budget to fix the security problems you've found. 
This part then covers some good practices on plugging the 
various security holes within your systems and patching 
everything up to keep from being hacked. Finally, this part 
covers what it takes to manage change within your secu- 
rity systems for long-term success, including outsourcing 
ethical hacking so you can add even more projects to your 
overflowing plate! That's what working in information tech- 
nology is all about anyway, right? 



Chapter 17 

OC faporting Your Results 



In This Chapter 

Bringing your test data together 

Categorizing the vulnerabilities you discovered 

Documenting and presenting the final results 



■ f you're looking for a break after testing, now isn't the time to rest on your 
«C laurels. The reporting phase of your ethical hacking is the most critical 
piece. The last thing you want to do is to run your tests, find security prob- 
lems, and leave it at that. It's important to make sure that all your time and 
effort is put to good use by thoroughly analyzing and documenting what you 
found to ensure that security vulnerabilities are fixed. 

Ethical hacking reporting includes debriefing upper management or your 
client on the various security issues found. You share the information you 
gathered and give the other parties guidance on where to go from here. 
Reporting also shows that time, effort, and money are put to good use. 



Pulling the Results Together 

When you have gobs of test data — from manual observations you docu- 
mented to detailed reports from the various tools you used — what do you 
do with it all? The task at hand is to go through your documentation with a 
fine-tooth comb and highlight with a marker all the areas that stand out. Base 
your decisions on 

Your knowledge as a security professional 
I Vulnerability ratings from your assessment tools 



Part VI: Ethical Hacking Aftermath 



Dro 




Many feature-rich security tools assign each vulnerability a risk rating, explain 
the details of the vulnerability and give possible solutions, and even reference 
f\ 4}pci*jC link to the Common Vulnerabilities and Exposures (CVE) Web site at 
^j^/pV^^e .org so you can find out more information about the vulnerability. 
For further research, you may also need to reference the vendor's Web site to 
find out more and see whether the vulnerability affects your particular system. 

You can plug this information into a table in Excel or in Word. I prefer to go 
through everything in hard-copy form because it's easier for me to read, but 
your choice may depend on how much data there is. If you think more highly 
of trees, you may want to just read the results off the computer screen and 
copy and paste the items that stand out into a new Vulnerabilities to Address 
document. 

In your document, you may want to organize the vulnerabilities as shown in 
the following list: 



v* Nontechnical Issues 

• Social Engineering Vulnerabilities 

• Physical Security Vulnerabilities 

• Miscellaneous 
Workstations 

• Operating Systems 

• Applications 

• Miscellaneous 
Servers 

• Operating Systems 

• Applications 

• Miscellaneous 
V Other Network Hosts 

• Hubs and Switches 

• Routers 

• Firewalls 

• Intrusion-Detection Systems 

• Miscellaneous 



Chapter 17: Reporting Your Results 



Consider creating a couple of separate lists for these security vulnerabilities: 



ipBoo 




nal vulnerabilities, such as internal hosts and organizational issues 

rnal vulnerabilities, such as public hosts, business-partner network 
connections, and telecommuters 



Prioritizing Vulnerabilities 

It's critical to prioritize the security vulnerabilities you've found, because many 
may not be fixable or not worth fixing. You may not be able to eliminate some 
vulnerabilities due to various technical reasons, and you may not be able to 
afford to eliminate others. You need to factor in whether the benefit is worth 
the effort and cost involved. For instance, if you determine that it will cost 
$8,000 to encrypt a sales-leads database worth $5,000 to the organization, it 
may not make sense. You need to study each vulnerability carefully and weigh 
whether it's worth fixing. 




Analyze each vulnerability carefully, and determine your worst-case scenarios. 
It's not possible — or not worth trying — to fix every vulnerability that you've 
found. 



Here's a quick-and-dirty method you can use when prioritizing your vulnera- 
bilities. You should tweak it based on your needs. You need to consider two 
major factors for each of the vulnerabilities you've discovered: 

*<" Likelihood of use: How likely is it that the specific vulnerability you're 
analyzing will be taken advantage of in a malicious way by a hacker, a 
rogue insider, or malware? 

Impact if exploited: The impact is rated based on how detrimental it 
would be to the information systems you're assessing and the organiza- 
tion as a whole. 




Rank each vulnerability, using criteria such as High, Medium, and Low or a 
l-through-5 rating (where 1 is the lowest and 5 is the highest) for each of the 
two categories. Table 17-1 shows a sample table and a representative vulnera- 
bility for each category. 



Part VI: Ethical Hacking Aftermath 



Table 17-1 




Prioritizing Vulnerabilities 






Likelihood 




7l\o 


High 


Medium 


Low 


High 


Unsecured 
wireless AP 


No admin pass- 
word on SQLServer 


Unencrypted emails 
being sent 


Medium 


End users with 


Unauthorized 


Tape backups that 
are not password- 
protected 




iruemei-oruy access wnen 
access having weak user is away 
login passwords from computer 


Low 


Outdated virus 
signatures on a 
stand-alone PC 
dedicated to 
Internet browsing 


Weak encryption 
being exploited 


Cleaning-crew 
personnel gaining 
unauthorized net 
work access 



The vulnerability prioritization shown in Table 17-1 is based on the qualitative 
method of assessing risks. It's subjective, based on your knowledge of the sys- 
tems and vulnerabilities, but you can also consider any risk ratings you get 
from your security tools. Chapter 18 identifies vulnerabilities to focus on. 



Reporting Methods 

You need to organize your vulnerability information into a nice, pretty docu- 
ment for upper management or your customer. Ferret out the critical findings, 
and document them in a way that other parties can understand them without 
having to be security experts. 

Graphs and charts are a plus but not required. Screen captures of your 
findings — especially when it's more difficult to save the data to a file — 
can add a really nice touch to your reports. 

Document the vulnerabilities in a concise, nontechnical manner: 

Every report should contain the following information: 

• Tests that were performed 

• Specific dates and times the testing was carried out 

• Summary of the vulnerabilities discovered 

• Prioritized list of vulnerabilities that need to be addressed (action 
items) 





Chapter 17: Reporting Your Results 



DropBooks 



If it will add value to upper management or your customer, add this 
information to your report: 



Steps on how to plug the security holes found 

List of general recommendations to improve overall security 





Most people want the hard-copy report to include a summary of the findings — 
not everything. The last thing most people want to see is a 5-inch stack of 
papers to sift through. 

Many managers and customers like receiving raw-data reports from the secu- 
rity tools on a CD-ROM. They can reference the data later if they want but don't 
have to get mired in hundreds of hard-copy pages of technical gobbledygook. 

Your list of action items may include something similar to the following: 

Enable Windows auditing on all servers. 
V Put lock on server-room door. 

u* Harden operating systems based on best practices from SANS (www . 
sans.org), NIST (crsc . ni st . gov), the National Security Agency 
Security Recommendation Guides (www . nsa . gov/snac/i ndex . html), 
and Network Security For Dummies. 

Use a paper shredder for the destruction of confidential hard-copy 
information. 

Install personal firewall/IDP software on all laptops. 
i>* Apply the latest vendor patches to the Web server. 



As part of the final report, you may want to document employee reactions 
you observed when carrying out your ethical hacking tests. For example, 
were employees completely oblivious or even belligerent when you carried 
out an obvious social-engineering attack? Did IT or security staff completely 
miss technical tip-offs, such as the performance of the network degrading 
during testing or various attacks listed in system log files? You can also docu- 
ment other security issues you observed, such as how quickly IT or security 
staff responded to your tests or whether they even responded at all. 

If an ethical hacking report and all the associated documentation and files 
were to fall into the hands of a competitor, hacker, or malicious insider, that 
could spell disaster for the organization. Here are some ways to prevent this 
from happening: 

Keep the report and associated documentation and files confidential, 
and deliver them only to those who need to know. 



Part VI: Ethical Hacking Aftermath 



pBooks 



v* Remove these programs and data that a hacker or rogue insider could 
use from the report in malicious ways: 



Tools, such as password crackers and network analyzers 
Log files 
• Test data 

I recommend leaving the actual testing steps out of the report. Just answer 
any questions on that subject as needed. 





Chapter 18 



In This Chapter 

Determining which vulnerabilities to address first 

Patching your systems 

Looking at your security in a new light 




low it's time to head down the road to greater security. You've found 
# w some security vulnerabilities — ideally, not too many serious ones! 
These security holes must be plugged before someone exploits them. This 
is going to require rolling up your sleeves and using a little elbow grease to 
make things happen. First, you need to come up with your game plan and 
decide which security vulnerabilities to address first. A few patches may be 
in order, and possibly even some system hardening. This may be a time to 
reevaluate your network design and security infrastructure as well. I touch 
on some of the critical areas here. You may also want to refer to the fine book 
Network Security For Dummies, by Chey Cobb (Wiley Publishing Inc.). Chey 
does a great job of covering each of these topics in depth. 



Turning \lour Reports into Action 



It may seem obvious which security vulnerabilities to address first, but it's 
often not that black-and-white. The variables involved with each host that 
need addressing include 

i>* Whether the vulnerability can be fixed 
i>* How critical the host is 

Whether you can take the system offline to fix the problem 

How easy the vulnerability is to fix 
u 0 Costs involved in purchasing new hardware or software to plug the holes 



Part VI: Ethical Hacking Aftermath 



tne secur 

DBoote 

are iust hi 



In Chapter 17, 1 cover the more basic issues of how important and how urgent 
the security problem is. You should look at this from a time-management per- 
and address the issues that are both important (high-impact) and 
igh-likelihood). You don't want to try to fix the vulnerabilities that 
are just high-impact or just high-likelihood. You may have some high-impact 
vulnerabilities that will likely never be exploited. Likewise, you probably have 
some vulnerabilities that have a high likelihood of being exploited, yet won't 
really make a big difference in the future of the company. 

Focus on the highest-payoff tasks — those that are both high-impact and 
high-likelihood. Ideally, this will be the minority of your overall number of 
vulnerabilities. Then you can go after the less important and less urgent 
tasks, such as a renaming the administrator ID on a handful of noncritical 
stand-alone workstations, as time and money permit, if that's what you 
choose to do. 



Patching for Perfection 

Do you ever feel like all you do is patch your systems to fix security vulnerabili- 
ties? If you answer yes to this question, good for you — at least you're doing it! 
If you constantly feel pressured to patch your systems but can't seem to find 
time — at least it's on your radar! Many IT and security professionals don't 
even think about patching their systems until they get hacked. If you're reading 
this book, you're obviously concerned about security and way past that. 




Whatever you do, whatever tool you choose, and whatever procedures work 
best in your environment — keep your systems patched! 



Patching is a necessary evil. The only real solution to eliminating the need for 
patches is developing secure software in the first place, but that's not going 
to happen any time soon. The majority of security incidents can be prevented 
with some good patching practices, so there's simply no reason not to patch. 



Patch management 

Whether you can keep up with the deluge of security patches for all of your 
systems, don't despair; there are some ways to get a handle on the problem. 
Here are my three basic tenets of applying patches to keep your systems 
secure: 

Make sure all the people and departments that are involved in applying 
patches in your organization's systems are on the same page and follow 
the same procedures. 



Chapter 18: Plugging Security Holes 



I Have procedures in place for these critical processes: 

Obtaining patch alerts from your vendors. 

Assessing which patches affect your systems. 

• Determining when patches are applied. 

Appendix A lists links to patch-notification systems. 

i>* Make it policy and have a procedure in place for testing patches before 
you apply them to your production servers, if that's possible. Many 
patches have undocumented features and subsequent unintended side 
effects — believe me, I've experienced this before. An untested patch is 
an invitation for system termination! 



Patch automation 

There are various patch-deployment tools you can use to lower the burden 
of constantly having to keep up with patches, as described in the following 
sections. 

Commercial toots 

I recommend a robust patch-automation application — especially if you have 
A large network 

i>* A network with several different operating systems (Windows, Linux, 
NetWare, and so on) 

More than a dozen or so computers 
There are various patch-automation solutions. Be sure to at least check out: 

V Patch Manager from BigFix (www . bi gf i x .com) 

HFNetChk Pro from Shavlik Technologies (www . s h a v 1 ik.com) 

V Ecora Patch Manager from Ecora (www . ecora .com) 

f* SysUpdate from SecurityProfiling (www . securi typrof i 1 i ng . com) 




The GFI LANguard Network Scanner product that I use to demonstrate a 
vulnerability-assessment tool in this book can both check for patches to be 
applied and deploy the patches. 



Watch the other major vulnerability-assessment tool vendors. They are start- 
ing to integrate logic in those programs to deploy patches to address the vul- 
nerabilities their products find — a process called vulnerability management. 



DropBooks 




Part VI: Ethical Hacking Aftermath 



■— ^ •— ^ it jou re 1 

DropBooEs 



Free tools 

If jou're running Windows, use one of these free automated tools: 



'dows Update, which is built into Microsoft Windows systems 
Microsoft Baseline Security Analyzer (MBSA) 
W Microsoft Software Update Services (SUS) Server 



Hardening \lour Systems 

Even after you patch your systems, you're still not done. You've got to make 
sure your systems are hardened from the other security vulnerabilities that 
patches cannot fix. I've found over the years that many people stop with patch- 
ing, thinking their systems are secure, but that's just not possible. Throughout 
the years, I've seen network administrators ignore recommended hardening 
best practices from organizations such as SANS (www .sans.org), NIST (www . 
nist.gov), and the National Security Agency (www .nsa.gov/snac/index. 
html), leaving many security holes wide open. 

Network Security For Dummies contains a lot of great resources for hardening 
various systems on your network. 

I was once involved in cleaning up a hack attack on a Windows NT server 
for a customer of mine. I had been telling them ever since they hired me that 
they needed to let me harden their network from attack. They basically had a 
server wide open on the Internet with a public IP address (ouch!) and no fire- 
wall installed. They were willing to pay me to patch the server, but that was 
it. There was only so much that could be done to secure it completely from 
the elements, given their environment and specific needs. They didn't heed 
my advice on at least getting the server behind a firewall, if not reconfiguring 
the way their application worked. Neither of these was an option. 

Time passed, and nothing happened until one day, a hacker compromised the 
server, uploaded FTP server software, and started hosting illegal movies and 
music — effectively locking everyone out the server. After the downtime, lost 
business, and cost of paying me to finally fix the problem, it ended up costing 
them way more than the price of a firewall and a couple of hours of installa- 
tion time. 

This book presents hardening countermeasures that you can implement for 
your network, computers, and even physical systems and people. These are 
the ones I've found to work the best for the respective systems. 

It's absolutely critical to implement at least the basic security best practices. 
Whether installing a firewall on the network or requiring users to have strong 
passwords — you must do the basics if you want any modicum of security. 




Chapter 18: Plugging Security Holes 



Beyond patching, if you follow the countermeasures I've documented in this 
book, along with the other well-known security best practices that are freely 
on the Internet for such network systems (routers, servers, work- 
and so on), as well as perform ethical hacking tests on an ongoing 
_, you can rest assured that you're doing your best to keep your organiza- 
tion's information secure. 



DropBoo* 

basis 



Assessing l/our Security Infrastructure 

A review of your overall security infrastructure can add oomph to your 
systems. 

Look at the big picture. How is your network actually designed? What about 
your building? You should even consider organizational issues such as whether 
policies are in place, maintained, or even taken seriously. Does upper man- 
agement take information security seriously, or do they simply shrug it off as 
another unnecessary expense? 

Using the information you gathered by performing the ethical hacking tests 
in this book, map your network. Update existing documentation — a major 
necessity. Outline IP addresses, running services, and whatever else you've 
found out. Although I prefer Visio or other, more-capable network diagram- 
ming tools, you could even draw out your map on a napkin! Just draw it out. 
Network design and overall security issues are a whole lot easier to assess 
when you can see them visually. 

Are you focusing all your efforts on the perimeter and not on a layered security 
approach? Think about how most convenience stores and banks are protected. 
Their security cameras are focused on the cash registers, teller computers, 
and surrounding areas — not just on the parking lot or entrance areas. Look 
at security from a defense in-depth perspective. Make sure that several layers of 
security are in place just in case one measure fails, so the malicious user must 
go through various other barriers and jump through other hoops to carry out 
a hack attack successfully. 

Do the same thing with organizational issues as well. Document what security 
policies and procedures are in place and how effective they are. Look at the 
overall security culture within your company, and see what it looks like from 
an outsider's perspective. What would customers or business partners think 
about how your organization is treating their confidential information? 

Looking at your security from a high-level and nontechnical perspective will 
give you a new outlook on what else still needs to be done. It takes some time 
and effort at first, but after you establish a baseline of security, it will be much 
easier to manage and keep a handle on moving forward as new threats and vul- 
nerabilities emerge. 



/ 0 Part VI: Ethical Hacking Aftermath 



DropBooks 



Chapter 19 

DropB ^n s aging Security Changes 



In This Chapter 

Automating tasks 

Watching for misbehavior 

Outsourcing testing 

Keeping security on everyone's mind 

••••••••••••••••••••••••••••••••••••••••••••••••a 

/nformation security is an ongoing process that must be managed effectively 
to be successful. This goes beyond applying patches and hardening systems 
every so often. Performing your ethical hacking tests again and again is critical; 
information security threats and vulnerabilities constantly emerge. Combine 
this with the fact that ethical hacking tests are just a snapshot in time view of 
your overall information security, so you have to perform your tests on an 
ongoing basis to keep up with the latest security issues. 

You need to consider a few key issues in your ongoing efforts, such as automat- 
ing some of the testing, monitoring for malicious use, and even outsourcing 
some or all of your ethical hacking and security services. In this chapter, I 
cover the critical issues that you can consider to help ensure long-term suc- 
cess in your security efforts. 



Automating the Ethical Hacking Process 

The ethical hacking tests that can be automated are covered in this book: 

Port scans 
I V Password-cracking tests 

Vulnerability-assessment tests 

You've got to have the right tools to automate tests: 

f* Some commercial tools can set up ongoing assessments and create nice 
reports for you without any hands-on intervention — just a little setup 
and scheduling time up front. This is why I like many of the commercial 




Part VI: Ethical Hacking Aftermath 



pBoote 



security testing tools. This often helps justify the price of the tools — 
especially if you don't have to be up at 2:00 in the morning or on call 24 
,rs a day to monitor the testing. 



d-alone security tools such as Nmap, John the Ripper, and Nessus 
aren't enough. You can use the Windows Scheduler and AT commands 
on Windows systems and cron jobs on UNIX-based systems, but manual 
steps are still required. 



True security isn't possible by automating everything. Certain issues can't 
be set on autopilot, such as enumeration of new systems, social engineering, 
and physical-security walk-throughs. Even the smartest computer "expert 
system" will never be able to accomplish some security tests. Good security 
requires both technical know-how and good old-fashioned experience. 



Monitoring Malicious Use 

Monitoring for security events is essential for ongoing security efforts. This 
can be as basic — and mundane — as monitoring log files on routers, firewalls, 
and critical servers every day or as advanced — and, often, expensive — as 
implementing an event-correlation system to keep tabs on every little thing hap- 
pening on the network. A common method is to deploy an IDS or IDP system 
and monitor for malicious behavior. The problem with this and most security 
monitoring solutions is that it can be a very boring yet very difficult task to do 
effectively. 

\\V ^ Consider dedicating a time every day — such as first thing in the morning — 
""""" to check your critical log files from the previous night or weekend to ferret 

out intrusions and other computer and network problems that could be secu- 
rity-related. You could also dedicate a person to this task, but do you really 
want to subject someone to that kind of torture? 



i>* Finding some — much less all — critical security events in system log 
files is difficult or impossible. It's just too tedious a task for the average 
human to accomplish effectively. 

i>* Some security events, such as IDS evasion techniques and hacks coming 
into allowed ports on the network, may not be detected at all, depending 
on the type of logging and security equipment you have in place. 



Enable as much event logging as possible. You don't necessarily need to cap- 
ture all computer and network events, but you should definitely look for cer- 
tain obvious ones, such as login failures, packets, and unauthorized file access. 
The preferable way to log security events is to use a syslog server on your net- 
work and not keep logs on the local host, if at all possible. This can help prevent 
hackers from tampering with log files to cover their tracks. Check out www .log 
a n a 1 y s i s . o r g for great logging resources. 



Chapter 19: Managing Security Changes 



A couple of good solutions to the security monitoring dilemma are to 

J^Piw^hase an event-logging system. A few low-priced yet effective solutions 
ftare^vailable, such as GFFs Security Event Log Monitor (www . gf i .com/ 
1 ansel m). Just keep in mind that typically lower-priced event-management 
systems usually support only one OS platform: Microsoft Windows. Higher- 
end solutions, such as GuardedNet's neuSECURE (www . guardednet .net), 
offer both basic log management and event correlation to help track down 
the source of security problems, as well as the various systems that were 
affected during an incident. 

W Outsource security monitoring to a third-party managed security services 
provider (MSSP). Dozens and dozens of MSSPs were around during the 
Internet boom days, but only a few strong ones still remain. The value in 
outsourcing security monitoring is that the MSSP often has facilities and 
tools that you may not be able to afford. They also have analysts working 
around the clock and can take the security experiences and knowledge 
they gain from other customers and share it with your systems. 

When these MSSPs discover a security vulnerability or intrusion, they 
can usually address the issue immediately often without even getting 
you involved. I recommend at least checking whether third-party firms 
and their services can free up some of your time and resources so you 
can focus on other things. Just don't depend solely on their monitoring 
efforts; an MSSP can't catch insider abuse or social-engineering attacks. 
You're still going to have to be involved in a limited capacity. 



DropBoo 



Outsourcing Ethical Hacking 

Outsourcing ethical hacking is very popular. It's a great way for organizations 
to get an unbiased third-party perspective on their information security. 




Outsourcing ethical hacking is expensive. Many organizations will have to 
spend thousands — often, tens of thousands — of dollars, depending on the 
testing needed. But it's not cheap to do all of this yourself! 



Outsourcing allows you to have a sort of checks-and-balances system. 




Outsourcing isn't free or inexpensive. A lot of confidential information is at 
stake, so you must be able to trust your outside consultants and vendors. 
Consider the following questions when looking for a vendor to partner with: 



v 0 Is your ethical hacking vendor on your side or third-party vendors' side? 
Is the vendor trying to sell you products, or is it vendor-neutral? Many 
vendors may try to make a few more dollars off the deal — which may 
not be necessary for your needs. This may be okay, but just make sure 
that no major conflicts of interest are making you uncomfortable. 



Part VI: Ethical Hacking Aftermath 



pBookj 



I What other IT or security services does the vendor offer? Does it focus 
solely on security? 



\n help to find an ethical hacking specialist instead of an IT generalist 
Inization to do this testing for you. 

V What are your vendor's hiring/termination policies? 

Look for measures the vendor takes to minimize the chances that an 
employee will walk off with all of your confidential information. 

V Does the vendor understand your business needs behind ethical hacking? 

Have the vendor repeat the list of your needs back to you to make sure 
you're both on the same page. 

How well does the vendor communicate? Do you trust that the vendor 
will keep you informed and will follow up with you in a timely manner? 

v 0 Do you know exactly who will be performing the tests? Will one person 
do all the testing, or will subject-matter experts focus on the different 
areas? This isn't a deal breaker — it's just nice to know. 

Does the vendor have the experience to recommend practical and effec- 
tive countermeasures to the vulnerabilities found? 

Do you get the impression that the vendor is in this to make a quick 
buck off the services, with minimal effort and value added, or is the 
vendor in this to build loyalty with you? 

Find a good organization to work with long-term. That will make your 
ongoing efforts much simpler. 

i>* Ask for several references, and sample sanitized deliverables from your 
vendor. If the vendor cannot produce these, or it seems overly difficult, 
look for another vendor. 

Run criminal-background checks on every person involved on the ethi- 
cal hacking project. It's really cheap. I even slap my own customers' 
hands when they don't ask for permission to run a background check 
before hiring me for ethical hacking projects. If criminal-background 
checks aren't an option, make a thorough Internet search via search 
engine. 



If your vendor won't agree to background checks of everyone involved in the 
ethical hacking projects, run — fast — to find another vendor. In addition, if 
the vendor won't disclose the details of what it's going to test for (not neces- 
sarily how the testing will be carried out), or won't commit to being available 
in case problems arise, find another vendor. Also, be wary if your vendor 
talks openly about the security (or general lack of it) of other clients. The 
vendor may just do the same for your organization as well! 



Your vendor should have its own services agreement for you to sign, which 
should include a mutual nondisclosure statement. Make sure you both sign 
off on this to help protect your organization in the future. 



Chapter 19: Managing Security Changes 



Dro 




inking about hiring a reformed hacker? 



Forrrmr hackers -^Tm referring to the black-hat 
hackers who have hacked into computer sys- 
tems in the past — can be very good at what 
they do. Many people swear by it. Others com- 
pare thisto hiring the proverbial foxto guard the 
chicken house. If you're thinking about bringing 
in a former unethical hacker to test your sys- 
tems, consider these issues: 

Do you really wantto reward hacker behav- 
ior with your organization's business? 

Claiming to be reformed doesn't mean he or 
she is. There could be deep-rooted person- 
ality issues you're going to have to contend 
with. Buyer beware! 

Information gathered during ethical hacking 
is some of the most sensitive information 



your organization possesses. This informa- 
tion in the wrong hands — even ten years 
after being gathered — could be used 
against your organization. Some hackers 
hang out in tight social groups. You may not 
want your information being shared in their 
circles. 

Everyone deserves a chance to explain what 
happened in the past. Zero tolerance is sense- 
less. Listen to his or her story, and use common- 
sense discretion as to whether or not you trust 
this person to help you. The supposed black-hat 
hacker may have actually just been a gray hat 
or even a misguided white-hat hacker who 
makes a good fit in your organization. 



Outsourcing ethical hacking may make good business sense for you, espe- 
cially if you don't have the time or internal resources. Stay educated on the 
process, and keep tabs on what your vendor is doing during the process. 



Instilling a Security* Au We Mindset 

Your employees are often your first and last line of defense. Make sure all 
of your ethical hacking-efforts and money spent on all of your information- 
security initiatives aren't wasted due to a simple employee slip-up that gives 
a hacker the keys to the kingdom. 

These elements can help establish a security-aware culture in an organization: 

u* Make employee awareness of security an active and ongoing process. 

V Treat awareness and training programs as a long-term business 
investment. 

It doesn't have to be expensive. You can buy posters to hang up in break 
rooms, as well as mouse pads, screen savers, pens, and sticky notes to 
help get the word out and keep security on the top of everyone's mind. 
Some great vendors are Greenidea, Inc. (www . green i dea . com), Security 
Awareness, Inc. (www . securi tyawa reness .com), and Interpact, Inc. 
(www . i nterpacti nc . com). 




Part VI: Ethical Hacking Aftermath 



>c Aiigi 

p Books 

Leac 



I Get the word on security out to upper management! 

Align your security message with your audience, and keep it as nontech- 
1 as possible. 



Lead by example. Show that you take this seriously, and offer evidence 
that helps to prove that everyone else should, too. 

If you can get the ear of upper managers and end users alike, and put enough 
effort forth to make security a priority day after day, you may be able to help 
shape the culture in your organization. This can provide security value beyond 
your wildest imagination. I've seen the difference it makes! 



Keeping Up With Other Security Issues 

Ethical hacking isn't the be all, end all solution to information security. It 
cannot even guarantee security, but it's certainly a great start. Ethical hack- 
ing must be integrated as part of an overall information-security program 
that includes 



Higher-level information-risk assessments 

Strong security policies that are enforced 

Solid incident-response and business-continuity plans 

Effective security awareness and training initiatives 

This may require hiring more staff or outsourcing more security help as well. 

Don't forget about formal training for yourself and any colleagues. You've got 
to educate yourself consistently to stay on top of this game. 



9/ 



Part VII 

DropBooklhe Part of Tens 



The 5 th Wave By Rich Tennant 




"Our automated response pdlicij to a lai^e 
company- wide data cvask is to notify 
mana^sment , back up existing data, and 
Sell 90^o of iwj shaves in -the oompanij." 



DropBooks 



In this part . . . 



IMJ ell, here's the end of the road, so to speak. In this 
▼ ▼ part, I've compiled what I believe are the absolute 
critical success factors to make ethical hacking — and 
information security in general — work in any organiza- 
tion. Bookmark, dog-ear, or do whatever you need to do 
with these pages so you can refer to them over and over 
again. This is the meat of what you need to know about 
information security — even more so than all of the tech- 
nical hacks and countermeasures I've covered thus far. 
Read it, study it, and make it happen. You can do it! 



Chapter 20 

DropBo ^n s TipsforGetting Upper 

Management Buy-In 



In This Chapter 

Staying away from fear, uncertainty, and doubt 
Proving yourself 
Communicating on their level 
Highlighting the benefits 

•••••••••••••••••••••••••••••••••••••••••••••••a 

Several key steps exist for obtaining the buy-in and sponsorship that you 
need to support your ethical hacking efforts. In this chapter, I describe 
the ones that I find to be the most effective. 



Cultivate an Ally and Sponsor 

Selling ethical hacking and information security to upper managers isn't 
something you want to tackle alone. Get an ally — preferably, your manager 
or someone at that level or higher in the organization — who understands 
the value of ethical hacking. Although this person may not be able to speak 
for you directly, she can be seen as an unbiased third-party sponsor and can 
give you more credibility. 



Don't Be a FUDdy Mddi} 

Sherlock Holmes said, "It is a capital offense to theorize before one has data." 
It's up to you to make a good case and to put information security and the 
need for ethical hacking on upper management's radar. Just don't blow stuff 
out of proportion for the sake of stirring up fear, uncertainty, and doubt (FUD). 
Managers worth their salt see right through that. Focus on educating upper 
management with practical advice. Rational fears proportional to the threat are 
fine — just don't take the Chicken Little route, claiming that the sky's falling. 



320 



Part VII: The Part of Tens 



Demonstrate Hort the Organization 
DropStfOllflM to Be Hacked 

Show how dependent the organization is on its information systems. Create 
what-if scenarios — kind of a business-impact assessment — to show what can 
happen and how long the organization can go without using the network, com- 
puters, and data. Ask upper-level managers what they would do without their 
computer systems and IT personnel. Show them real-world anecdotal evidence 
on hacker attacks, including malware, physical security, and social-engineering 
issues — but be positive about it. Don't approach this in a negative way with 
FUD. Rather, keep them informed on serious security happenings in their indus- 
try. Find stories related to similar businesses or industries so that they can 
^ relate. Clip magazine and newspaper articles. 

f|^?C\ Google is a great tool to find practically everything you need here. 

^^^^ Show management that the organization has what a hacker wants — a common 
misconception among those ignorant to the threats and vulnerabilities. And be 
sure to point out the potential costs from damage caused by hacking: 

Missed opportunity costs 
u* Loss of intellectual property 
Liability issues 
Legal costs 
Lost productivity 
Clean-up time and costs 
Costs of fixing a tarnished reputation 




Outline the General Benefits 
of Ethical Hacking 

In addition to the potential costs listed in the previous section, talk about 
how ethical hacking can help find security vulnerabilities in information sys- 
tems that normally may be overlooked. Tell management that ethical hacking 
is a way of thinking like the bad guys so you can protect yourself from the 
bad guys — the Art of War mindset. 



Chapter 20: Ten Tips for Getting Upper Management Buy-In 



ShovV Hou) Ethical Hacking Specifically 
>pfik)@teS Organization 



Document benefits that support the overall business goals: 

Demonstrate how security doesn't have to be that expensive and can 
actually save the organization money long-term. 

• Security is much easier and cheaper to build in up front than to 
add on later. 

• Security doesn't have to be inconvenient and can enable produc- 
tivity if it's done properly. 

i>* Talk about how new products or services can be offered for a competi- 
tive advantage if secure information systems are in place. 

• Certain federal regulations are met. 

• Managers and the company look good to customers. 

• Ethical hacking shows that the organization is protecting customer 
and other critical information. 



Get Involved in the Business 

Understand the business — how it operates, who the key players are, and 
what politics are involved: 

V Go to meetings to see and be seen. This can help prove that you're con- 
cerned about the business. 

\S Be a person of value who's interested in contributing to the business. 

Know your opposition. Again, use The Art of War and the "know your 
enemy" mentality — if you understand what you're dealing with, buy-in 
is much easier to get. 



Establish \lour Credibility 

Focus on these three characteristics: 

Be positive about the organization, and prove that you really mean busi- 
ness. Your attitude is critical. 

Empathize with managers, and show them that you understand the busi- 
ness side. 



Part VII: The Part of Tens 



To create any positive business relationship, you must be trustworthy 
Build up that trust over time, and selling security will be much easier. 



pBooks 

Speak on Their Letiel 



No one is really that impressed with techie talk. Talk in terms of the business. 
This key element of obtaining buy-in is actually part of establishing your credi- 
bility but deserves to be listed by itself. 

I've seen countless IT and security professionals lose upper-level managers 
as soon as they start speaking. A megabyte here; stateful inspection there; 
packets, packets everywhere! Bad idea! Relate security issues to everyday 
business processes and job functions. Period. 



Show Value in \lour Efforts 

Here's where the rubber meets the road. If you can demonstrate that what 
you're doing offers business value on an ongoing basis, you can maintain a 
good pace and not have to constantly plead to keep your ethical hacking pro- 
gram going. Keep these points in mind: 

Document your involvement in IT and information security, and create 
ongoing reports for upper-level managers regarding the state of security 
in the organization. Give them examples of how their systems will be 
secured from known attacks. 

Outline tangible results as a proof of concept. Show sample vulnerability- 
assessment reports you've run on your own systems or from the security 
tool vendors. 

v 0 Treat doubts, concerns, and objections by upper management as requests 
for more information. Find the answers, and go back armed and ready to 
prove your ethical hacking worthiness. 



Be Flexible and Adaptable 

Prepare yourself for skepticism and rejection at first — it happens a lot — 
especially from such upper managers as CFOs and CEOs, who are often com- 
pletely disconnected from IT and security in the organization. 

Don't get defensive. Security is a long-term process, not a short-term product 
or single assessment. Start small — with a limited amount of such resources as 
budget, tools, and time — if you must, and then build the program over time. 



Chapter 21 

fen Deadly Mistakes 



In This Chapter 

Obtaining written approval 

Assuming that you can find and fix everything 

Testing only once 

Having bad timing 



Several deadly mistakes — when properly executed — can wreak havoc 
on your ethical hacking outcomes and even your job or career. In this 
chapter, I discuss the potential pitfalls that you need to be keenly aware of. 

Mat Getting Approval in Writing 

Getting approval for your ethical hacking efforts — whether it's from upper 
management or the customer — is an absolute must. It's your get out of jail 
free card. 

Obtain documented approval that includes the following: 

is* Explicitly lay out your plan, your schedule, and the affected systems. 

f Get the authorized decision-maker to sign off on the plan, agreeing to the 
terms and agreeing not to hold you liable for malicious use or other bad 
things that can happen unintentionally. 

Get the signed original copy of the agreement. 



No exceptions here! 



Part VII: The Part of Tens 



Assuming That \lou Can Find All 
Drop6r(&0kS/to buring \lour Tests 

So many security vulnerabilities exist — some known and just as many or 
more unknown — that you can't find them all during your testing. Don't make 
any guarantees that you'll find all security vulnerabilities. You'll be starting 
something that you can't finish. 

Stick to the following tenets: 

Be realistic. 
Use good tools. 

f* Get to know your systems, and practice honing your techniques. 



Assuming That \lou Can Eliminate 
Alt Security Vulnerabilities 

When it comes to computers, 100 percent security has never been attainable 
and never will be. You can't possibly prevent all security vulnerabilities. You'll 
do fine if you 

Follow best practices. 
*** Harden your systems. 

V Apply as many security countermeasures as reasonably possible. 



Performing Tests Only Once 

Ethical hacking is a snapshot in time of your overall state of security. New 
threats and vulnerabilities surface continuously, so you must perform these 
tests regularly to make sure you keep up with the latest security defenses for 
your systems. 



Chapter 21: Ten Deadly Mistakes 




Pretending to Know It Alt 



jfcf\i^^rorking with computers or information security knows it all. It's basi- 
cally impossible to keep up with all the software versions, hardware models, 
and new technologies emerging all the time — not to mention all the associate 
security vulnerabilities! Good ethical hackers know their limitations — they 
know what they don't know. However, they certainly know where to go to get 
the answers (try Google first). 



Running \lour Tests Without Looking 
at Things from a Hacker's Viewpoint 



Think about how an outside hacker can attack your network and computers. 
You may need a little bit of inside information to test some things reasonably, 
but try to limit that as much as possible. Get a fresh perspective, and think 
outside that proverbial box. Study hacker behaviors and common hack attacks 
so you know what to test for. 



Focus on the systems and tests that matter the most. You can hack away all 
day at a stand-alone desktop running MS-DOS from a 5/4-inch floppy disk with 
no network card and no hard drive, but does that do any good? 



Without the right tools for the task, it's almost impossible to get anything 
done — at least not without driving yourself nuts! Download the free tools I 
mention throughout this book and list in Appendix A. Buy commercial tools if 
you have the inclination and the budget. No security tool does it all. Build up 
your toolbox over time, and get to know your tools well. This will save you 
gobs of effort, plus you can impress others with your results. 



Ignoring Common Attacks 



Not 



Using the Right Tools 



Part VII: The Part of Tens 



Pounding Production Systems 
B&dW&nuj Time 

One of the best ways to lose your job or customers is to run hack attacks 
against production systems when everyone and his brother is using them. Mr. 
Murphy's Law will pay a visit and take down critical systems at the absolute 
worst time. Make sure you know when the best time is to perform your test- 
ing. It may be in the middle of the night. (I never said being an ethical hacker 
was easy!) This may be reason enough to justify using security tools and other 
supporting utilities that can help automate certain ethical hacking tasks. 



Outsourcing Testing and 
Not Staying Invoiced 

Outsourcing is great, but you must stay involved. It's a bad idea to hand over 
the reins to a third party for all your security testing without following up 
and staying on top of what's taking place. You won't be doing anyone a favor 
except your outsourced vendors by staying out of their hair. Get in their hair. 
(But not like gum — that just makes everything more difficult.) 



DropBooks 

Part VIII 



Appendixes 



DropBooks 











In this part . . . 

■ n this final part of the book, Appendix A contains a 
<S listing of my favorite ethical hacking tools that I cover 
throughout this book, broken down into various categories 
for easy reference. In addition, I list various other ethical 
hacking resources that I think you'll benefit from in your 
endeavors. Appendix B talks about the book's companion 
Web site. Hope it all helps! 













Appendix A 

and Resources 

■ n order to stay up to date with the latest and great ethical hacking tools and 
«5 resources, you've got to know where to turn to. This Appendix contains my 
favorite security sites, tools, resources, and more that you can benefit from 
too in your ongoing ethical hacking program. 

Awareness and Training 

Greenidea, Inc. Visible Statement (www .green idea .com) 
Interpact, Inc. Awareness Resources (www . i nterpacti nc .com) 
SANS Security Awareness Program (store.sans.org) 

Security Awareness, Inc. Awareness Resources (www . securi tyawareness . com) 

Dictionary Files and Word Lists 

ftp://ftp.cerias.purdue.edu/pub/dict 

ftp://ftp.ox.ac.uk/pub/wordlists 

packetstormsecurity.nl/Crackers/wordlists 

www .outpost9.com/files/WordLists. html 

Default vendor passwords www . ci rt . net/cgi - bi n/passwd . pi 




330 Part VIM: Appendi 



ixes 



General Research Tools 




yEf\/^5 Vulnerability Notes Database www . kb . cert . org/vul s 
ChoicePoint www . choi cepoi nt .com 

Common Vulnerabilities and Exposures cve.mitre.org/cve 
Google www . googl e .com 

Hoover's business information www . hoovers . com 
NIST ICAT Metabase icat.nist.gov/icat. cf m 
Sam Spade www .samspade.org 

U.S. Securities and Exchange Commission www . sec . gov/edga r . shtml 

Switchboard.com www . swi tchboa rd . com 

U.S. Patent and Trademark Office www . uspto . gov 

US Search.com www . ussea rch . com 

Yahoo! Finance site f i nance .yahoo .com 



2600 — The Hacker Quarterly magazine www . 2600 . com 
Computer Underground Digest www .soci .niu.edu /-cud igest 
Hackers: Heroes of the Computer Revolution book by Steven Levy 
Hacker t-shirts, equipment, and other trinkets www . thi nkgeek . com 
Honeypots: Tracking Hackers www .tracking -hackers, com 
The Online Hacker Jargon File www . j argon. 8hz. com 
PHRACK www.phrack.org 



Hacker Stuff 



Appendix A: Tools and Resources 



Linux 

) |^ I \ ^) ^^J^^^inux hardening utility www . basti 1 1 e- 1 i nux . org 



Debian Linux Security Alerts www .debian.org/security 

Linux Administrator's Security Guide www .seifried.org/lasg 

Linux Kernel Updates www . 1 i nuxhq . com 

Linux Security Auditing Tool (LSAT) usat.sourceforge.net 

Red Hat Linux Security Alerts www .redhat. com/support/a lerts 

Slackware Linux Security Advisories www .slackware.com/security 

Suse Linux Security Alerts www .suse. com /us/bus iness/security. html 

Tiger ft p. deb ian.org/debi an/pool/ma in/t/tiger 

VLAD the Scanner razor. bindview.com/tools/vlad 



Log Analysis 



LogAnalysis.org system logging resources www. loganalysis.org 



Matrtare 



chkrootkit www . ch krootki t . org 

EICAR testing string www . ei car . org/anti_vi rus_test_f i 1 e . htm 

McAfee AVERT Stinger vi 1 . nai . com/vi 1 /sti nger 

PestPatrol's database of pests research . pestpatrol . com/Pestlnf o/ 
pestdatabase .asp 

Rkdet vancouver-webpages.com/rkdet 
The File Extension Source f i 1 ext . com 
Wotsit's Format at www . wotsi t . org 



Part VIII: Appendixes 



Messaging 

d Books 



(1 security test www . gf i .com/emailsecuritytest 
smtpscan www .grey hats. org/outils/smtpscan 

How to disable SMTP relay on various e-mail servers www .ma i labuse.org/ 
tsi /ar-fi x . html 

mailsnarf www .monkey . org /-dugs on g/ dsn i ffor ww.datanerds.net/ 
~mi ke/dsni f f . html for the Windows version 

Rogue Aware by Akonix www . a kon i x . com 



NetWare 



chknull www . ph reak.org/archives/explo its /novel 1 

Craig Johnson's BorderManager resources nscsysop.hy perm a rt.net 

NCPQuery razor. bindview.com/tools/index.shtml 

Novell Product Updates support . novel 1 . com/f i 1 ef i nder 

Remote packetstormsecurity.nl/Netware/penetrat ion 

Rcon program atpacketstormsecurity.nl/Netware/penetration/ 
rcon .zip 

Userdump www . roy . spang. org/freeware/userdump. html 



Networks 



dsniff www .monkey . org /-dugs ong/dsni f f 
Ethereal network analyzer www .ethereal .com 
ettercap ettercap.sourceforge.net 
Firewalk www . packetf actory . net/fi rewal k 
Firewall Informer www .blade- so ft ware, com 



Appendix A: Tools and Resources 



Foundstone FoundScan www . f oundstone .com 
uard Network Scanner www . gf i .com 
ress vendor lookup coffer . com/mac_f i nd 
Nessus vulnerability assessment tool www.nessus.org 
Netcat www . atstake . com/ research /tool s/network_uti 1 i ti es 
NetScanTools Pro all-in-one network testing tool www . netscantool s . com 
Nmap port scanner www . i insecure . org/nmap 
Port number listing www . i ana. org/assignments /port- numbers 
Qualys QualysGuard vulnerability assessment tool www .qualys.com 
SuperScan port scanner www . foundstone . com 
WildPackets EtherPeek www.wi ldpackets.com 

Password Cracking 

LC4 www .atstake.com/research/lc 
John the Ripper www . openwal 1 . com/ John 

pwdump2 razor. bindview. com /tool s/desc/pwdump2_readme .html 

NetBIOS Auditing Tool www . securi tyf ocus . com/tool s/543 

Crack ftp: //coast. cs.purdue.edu/pub/tools/unix/pwduti Is /crack 

Brutus www . hoobi e . net/brutus 

Pandora www .nmrc.org/project/ Pandora 

NTFSDOS Professional www .winternals.com 

NTAccess www . mi ri der . com/ntaccess . html 

TSCRACK softlabs.spacebitch.com/tscrack/index. html 

TSGrinder www . hammerof god .com/download/tsgrinder-2.03.zip 



pBod 1 




Part VIII: Appendixes 



War Dialing 

d Books 



eLoc Viewer ch root. ath.cx/fade/projects/palm/pTLV. html 
PhoneSweep www .sandstorm, net/products/phones weep 
THC-Scan www .thc.org/releases.php 

ToneLoc www . secur i ty focus. com /data /tool s/auditing/pstn/tl 110. zip 
ToneLoc Utilities Phun-Pak www . hackcanada . com/i ce3/phreak 

Web Applications 

2600's Hacked Pages www . 2600 . com/hacked_pages 

Archive of Hacked Websites www . onething. com /arch ive 

BlackWidow www .softbytelabs.com/BlackWidow 

Flawfinder www . dwheel er . com/f 1 awf i nder 

ITS4 www.cigital .com/its4 

Netcraft www . netcraf t . com 

Nikto www .cirt.net/code/nikto.sht ml 

RATS www .securesoftware.com/auditi ng_tool s_downl oad . htm 
Sanctum AppScan www . sanctumi nc . com 

Shadow Database Scanner www .safety - lab. com/en /products/6, htm 
SPI Dynamics Weblnspect www . spi dynami cs . com 



Windows 



Amap www .thc.org/releases.php 
DumpSec www . somarsoft .com 

Legion packetstorm secur ity.nl/groups/rhino9/legionv21. zip 
Microsoft Office Patches of f i ce .mi crosoft . com/of f i ceupdate 



Appendix A: Tools and Resources 



335 



Microsoft Security Resources www .mi crosof t .com/technet/security/ 
Def aul t . asp 

Users www . opt imumx . com/down load/netusers. zip 

Rpcdump razor. bindview. com/tool s/f i 1 es/rpctool s-1 . 0 . zip 

SMAC MAC address changer www . kl cconsul ti ng . net/smac 

Vision www . f oundstone . com 

Windows Update Utility for Patching wi ndows update .microsoft.com 
Winfo www .ntsecurity.nu/toolbox/winfo 

Wireless Networks 

Air Jack 802. llninja. net/a ir jack 
AirMagnet www .airmagnet.com 
AirSnort ai rsnort . schmoo . com 

Cantenna war-driving kit mywebpages . comcast . net/hughpep 
Fluke WaveRunner www .flukenetworks.com 
Kismet www . ki smetwi rel ess .net 

Lucent Orinoco Registry Encryption/Decryption program www . cqure . net/ 
tool s . jsp? i d=3 

Making a wireless antenna from a Pringles can www . orei 1 1 ynet . com/cs/ 
weblog/view/wlg/448 

NetStumbler www . netstumbl er .com 

Pong wireless firmware vulnerability testing program www.mobileaccess.de/ 
wl an/dl . php/pong_vl . 1 . zi p 

Security of the WEP Algorithm www .isaac.cs.berkeley.edu/isaac/ 
wep-f aq . html 

The Unofficial 802.11 Security Web Page www .drizzle.com/~aboba/IEEE 

Wellenreiter www .wel 1 enrei ter . net 

WiGLE database of wireless networks at www .wigle.net 

WildPackets AiroPeek www .wi ldpackets.com 



DropBooks 



Part VIII: Appendixes 



DropBooks 



Appendix B 

Book Web Site 



7 his book's companion Website contains links to all the tools and 
resources listed in Appendix A. Check it out at www . dummi es . com. 



Part VIII: Appendixes 



DropBooks 



DropBooks 



Index 



• Numbers & Symbols • 

802.1 lb/802.1 li standards (IEEE), 157 
2600 - The Hacker Quarterly (magazine), 27 

•A • 

access controls 

Linux systems, 203 

Web servers, 285 
access points (AP), wireless networks 

unauthorized, 158-160 

vulnerabilities, 76, 148 
accounts, user 

lockouts, 94 

unused, 94 
Active Server Pages (ASP) script attacks, 
289-290 

ActiveX controls malware attacks, 241-242 
Address Resolution Protocol (ARP) 

poisoning/spoofing, 140-143 
ad-hoc mode (wireless LANs), 153 
admin account (NetWare), 231 
admin utilities (NetWare), 228 
AdRem NetWare management 

programs, 223 
Advanced EFS Data Recovery program 

(ElcomSoft), 101 
AES (Advanced Encryption Standard), 157 
African Whois (lookup) sites, 44 
AIM File Transfer security risks, 273 
Air Jack wireless LAN security tool, 148 
AirMagnet wireless testing device, 150 
Aironet (Cisco) wireless card, 163 
AiroPeek (WildPackets) wireless LAN 

security tools 
local airwave scans, 153-154 
Monitor utility, 158-159 
system analysis, 149 



AirSnort wireless LAN security tool 

system analysis, 148 

WEP-encryption cracking, 156 
airwaves, scanning local, 152-154 
Akin, Thomas (Southeast Cybercrime 

Institute), 259 
Akonix IM traffic-detection tools, 275-276 
all-in-one security-assessment tools, 170 
Amap application-detection software, 
200-201 

anonymity, of hackers, protecting, 27-28 
antennas (wireless-network attacks), 150 
Antigen (Sybari Software) malware- 

prevention software, 254 
antivirus software, testing, 249-250 
AOL Instant Messenger security risks, 274 
AP (access points), wireless networks 
default configurations, 162 
unauthorized, 158-160 
vulnerabilities, 148 
APNIC (Regional Internet Registry for 

Africa) lookup site, 44 
Apple Remote Access remote-connectivity 

software, 106 
application servers, security testing, 32 
Application Service Providers (ASPs), 33 
application-based attacks, 13-14 
approvals, written, importance of, 

29-30, 323 

ARIN (Regional Internet Registry for North 

America) lookup site, 44 
ARP (Address Resolution Protocol) 

poisoning/spoofing, 140-144 
ASP (Active Server Pages) script 

attacks, 289 
ASPs (Application Service Providers), 33 
assumptions, documenting, 36 
attachment attacks (e-mail), 260 
authentication 
identifying requirements for, 48 
weak, 84 



Hacking For Dummies 



authorization 
importance of, 15, 29-30 
pu> f^oi»toiTuift«5 19-322 
pri%lc^-f^i^23 

automated malware attacks, 243 
automated scans (Web applications), 
292-293 

automated security assessments, 

35, 311-312 
automated-input attacks, 286-287 
autoresponder attacks (e-mail), 262 
AVERT Stringer (McAfee) antivirus 

program, 250-252 

•B • 

backdoor system access 

for propagating malware, 244 

using unsecured modems, 106 
background checks, 60 
banner-grabbing attacks 

Netcat for, 130-131 

telnet for, 130 

testing for, 263-264 
BBSs (bulletin board systems), 26 
behavioral-analysis tools, 252-253 
believability, 63 

BigFix Patch Manager software, 213, 307 
bindery contexts (NetWare), removing, 

232-233 
BIOS passwords, cracking, 100 
black-hat (malicious) hackers, 10, 22, 24-25 
BlacklCE Web-application intrusion- 
prevention software, 295 
BlackWidow Web-crawling tool 

directory traversals, 284 

function of, 42 
blind assessments 

versus knowledge assessments, 35 

pros and cons, 40-41 
bombs, e-mail, 258 
bounced e-mail messages, 49 
Browse rights (NetWare), 231-233 
browsers, Web, scanning for 

information, 41 
brute-force password attacks, 88 



Brutus password-cracking software 
cracking system passwords, 85 
cracking Web logins, 282 
buffer-overflow attacks, 208-209, 286 
building infrastructure, 72-73 
bulletin board systems (BBSs), 26 
business goals, for ethical hacking plan, 30 

•C» 

Cain and Abel password-capture 

software, 85 
Caldwell, Matt (GuardedNet, Inc.), 149 
called IDs, 62 
Cantenna kits, 150 
case studies 

hacking e-mail, 259 

hacking network infrastructures, 118 

hacking Web applications, 281 

hacking wireless networks, 149 

malware attack, 238 

physical security issues, 71 

social-engineering attack, 57 

war dialing, 107 

Windows password vulnerabilities, 81 
CERT/CC Vulnerability Notes Database 

Web site, 49 
CGI (Common Gateway Interface) script 

attacks, 289-290 
Chappell, Laura (Protocol Analysis 

Institute), 118 
Checkpoint firewall software, 295 
Chirillo, John (Hack Attacks 

Encyclopedia), 12 
chkconfig service (Linux), disabling, 203 
Chknull password-cracking utility, 85 
chkrootkit rootkit-detection tool, 254 
Cisco LEAP protocol WERP keys, 156-157 
Cisco routers, password vulnerabilities, 85 
client applications, 32 
Client Manager (Orinoco) wireless LAN 

security tool, 148 
client operating systems, 32 
Cobb, Chey (Network Security For 

Dummies), 101, 264, 308 
code-injection attacks, 286-287 



Index 



COM ports, identifying, 111 

Com mon Gateway Interface (CGI) script 

IC bnl iloj^u^p^yies and Exposures 

(CVE) Web site, 49, 300-301 
community of hackers, 26 
CommView for Wi-Fi (TamoSoft) wireless 

LAN-analyzer, 153 
comprehensive assessment tools, 37-38 
Computer Underground Digest 

(magazine), 27 
computers. See physical-security attacks 
confidential information 
and file sharing, 272-273 
removing from Google Groups, 45 
stealing off networks, 13 
configuration settings 
Web servers, 285 
wireless LANs, 162 
connection attacks (e-mail), 261-262 
console access (NetWare), 217 
contingency plans, 16, 35 
COPS file-monitoring program, 208 
copyrighted material, theft of, 26 
countermeasures, security. See also 

security awareness training; security 
patches 

Address Resolution Protocol protection, 
143-144 

autoresponder attack prevention, 262 
awareness training, 56, 66-67, 92-93, 
315-316 

banner grab prevention, 131, 264 
buffer-overflow attack prevention, 209 
denial of service attack prevention, 145 
disabling SMTP relays, 269 
disabling unneeded services, 201 
e-mail protections, 260-263, 269-272 
firewall testing, 133 

high-impact risks and responses, 305-306 
instant messaging protections, 275-277 
keystroke logging, 97-98 
for Linux systems, 199, 210, 212-213 
malware attack prevention, 253-254 
NetBIOS attack prevention, 176-177 
for NetWare systems, 220, 223-225, 
228-234 



Network File System protection, 207 
network-analyzer attack prevention, 

99-100, 139-140 
network-infrastructure attack 

prevention, 146 
null connection attack prevention, 

184-186 

ongoing ethical hacking, 311-312 
operating system protection, 101-102 
password protection, 91-94, 96-98, 100 
port scanning prevention, 127-128 
. rhosts and hosts . equi v file attack 

prevention, 205-206 
remote procedure call protection, 178 
script attack prevention, 290 
SNMP attack prevention, 129 
social-engineering attack prevention, 

65-67 

URL filter bypass prevention, 290-292 

war dialing prevention, 114-115 

Web directory traversal prevention, 285 

Web-application attack prevention, 283, 
289, 294-295 

for Windows systems, 173-174 

wireless LAN protection, 156-157, 
159-160, 163 

wireless workstation protection, 161-162 
Crack password-cracking software, 85 
crackers, defined, 10 
cracking passwords 

brute-force attacks, 88 

dictionary attacks, 87-88 

documenting testing process, 34 

inference attacks, 84 

keystroke logging, 97-98 

NetWare systems, 221-223 

network analyzers, 98-100 

in password-protected files, 95-97 

password-reset programs, 100-101 

shoulder surfing, 83 

social-engineering attacks, 83 

in systems with weak authentication, 84 

tools for, 79, 85-87 

weak storage systems, 98 

on wireless LANs, 156 
crashing system during tests, 15 



Hacking For Dummies 

crawlers, Web, 284 
criminal hackers, 24-25 




SS) Web-application 



customer notification, importance of, 31 
CVE (Common Vulnerabilities and 

Exposures) Web site, 49, 300-301 
cyberterrorists, 23-24 

•/> • 

daemons (Linux), scanning, 195-199 
database server testing, 32 
DDoS (distributed DoS) attacks, 144 
Debian Linux system updates, 213 
Deep Freeze lock down program, 98 
defaced Web pages, 25 
delimited files, 182 
deliverables, clarifying, 30 
denial of service (DoS) attacks 
defined, 13 

indications of, 137-138 
during testing, 15 
types of, 144 

using IM (instant messaging), 272 
desktop auditing utilities, 276 
DHAs (directory harvest attacks), 265 
dictionary password attacks, 87-88 
directional (wardriving) antennas, 150 
directory-harvest attacks (DHAs), 265 
directory-traversal attacks, 283-285 
distributed DoS (DDoS) attacks, 144 
DMZ/Shield Enterprise (Ubizen) intrusion- 
prevention software, 295 
DNS queries, 43 
documentation 

of assumptions, 36 

of test results and recommendations, 
40, 303-304 

of testing process, 34-35 
domain-name information, 43 
DOS debug program malware attacks, 243 
DoS 

defined, 13 

indications of, 137-138 
during testing, 15 
types of, 144 

using IM (instant messaging), 272 



Draper, John (hacker), 22 
drop ceilings, security risks, 72 
dsniff network analyzer 

analyzing UNIX systems, 135 

e-mail packet sniffing, 270 

malware attacks using, 242 
dsrepair NLM (NetWare), 227 
D-Tective reverse Whois service, 44 
DumpSec vulnerability-assessment tool 

operation system information, 48 

security settings, 171 

share permissions, 187 

user and configuration settings, 182-183 
dumpster diving 

preventing, 74 

risks from, 12, 61 

eBlaster (SpectorSoft) 

keystroke-logging tool, 97 

spyware, 241 
Ecora 

Enterprise Auditor IM traffic-detection 

tool, 276 
Patch Manager patch-automation 

software, 307 
Edgar Web site, 43 

eDirectory (NetWare) directory service 

disabling Public browse right, 231-233 

vulnerabilities, 84 
Eeye SecureNS intrusion-prevention 

software, 295 
eicar test string, 249-250 
802.1 lb/802. Hi standards (IEEE), 157 
ElcomSoft 

Advanced EFS Data Recovery 
program, 101 

password-cracking utilities, 95-96 
elite hackers, 23 
e-mail attacks 

account enumeration, 265-266 

anonymous addresses, 26 

bounced messages, 49 

e-mail bombs, 258 

malware propagation, 243-244, 255, 
270-271 

using attachments, 260 



Index 



using autoresponders, 262 
using connections, 260-261 
_ fcljaactei JntffcHis, 270 




SMTP relay, 269 



testing, 32 
employees 
security-awareness training, 56, 66-67, 

92-93, 315-316 
and social-engineering attacks, 55-56, 64 
encryption 
e-mail messages, 271 
password databases, 101 
for test results, 19 
TKIP (Temporal Key Integrity 

Protocol), 157 
user passwords, 82 
Enforcer and L7 (Akonix) IM traffic- 
detection tools, 276 
Enterprise Auditor (Ecora) IM traffic- 
detection tool, 276 
enumerating (mapping out) networks, 46 
Ethereal network analyzer, 17, 134 
EtherPeek (WildPackets) network analyzer, 

98-100, 134 
ethical hacking. See also software and 
testing tools; testing process 
ARP (Address Resolution Protocol) 

poisoning/spoofing, 140-144 
automating application of, 311-312 
benefits of, 31 

collating data and test results, 299-301 
cracking passwords, 82-91, 97-102 
data analysis and recommendations, 

20, 302-304 
defined, 9-10 
evaluating results, 20 
footprinting, 41 
goals, 10-12, 30-32 

grabbing banner information, 130-131 
identifying Web-based risks, 279-293 
keeping up-to-date, 316 
limits of, 324 

Linux file attacks, 204-209 
Linux system scans, 195-199, 211-212 
malware intrusion scans, 244-253 
NetWare system scans, 216-219 



network analyses, 43-49, 134-140 

network-infrastructure attacks, 117-121 

obtaining sponsorship, authorization, 
15, 29-30, 319-322 

planning and preparation, 15-19 

port scanning, 121-128 

retesting, 20 

scheduling tests, 30 

similarity to beta testing, 39 

similarity to malicious hacking, 39 

SNMP scans, 129 

social-engineering attacks, 56-59 

stealthy versus open approaches, 40-41 

system crashes, 15 

timing of tests, 326 

values, 14-15 

war dialing, 105-115 

Windows systems scans, 171-178 

wireless LAN attacks, 148-163, 158-159 
ettercap (Source Forge) network analyzer 

ARP spoofing, 135, 141 

malware attacks, 242 
event-logging systems, 312-313 
Exchange e-mail system, 84 
EXPN command (SMTP), 265-266 
external hacks, 36 
external system scans, 47 



• F • 



FaceTime Communications IM traffic- 
detection tool, 276 
false employees, dangers from, 55-56. 

See also social-engineering attacks 
FedCIRC Incident Handling Checklist, 

244-245 
file names 
illegitimate, 245 
on Web servers, 284 
file system. See also password attacks 
file-sharing risks, 272-273 
malware attacks using, 255-256 
File Transfer Protocol (FTP) 

vulnerabilities, 200 
file-modification auditing programs, 208 
file/print server testing, 32 
financial information, scanning for, 60 



Hacking For Dummies 



find command (Linux), 207 
f inge rprinting 

Finj an Software Test Center Web site, 
252-253 

Firewalk (Packet Factory) firewall-testing 
tool, 133 

Firewall Informer (BLADE Software) 

firewall-testing tool, 133 
firewalls 

e-mail, 263, 271 

Linux systems, 199 

NetBIOS attacks, 177 

testing, 32, 131-133 

Web applications, 295 

Windows systems, 173-174 
Flawfinder security-hole software, 295 
Fluke WaveRunner wireless testing 

device, 150 
footprinting, 41 

Fortres 101 for Windows lock-down 

program, 98 
fping ping utility (UNIX systems), 46 
FreeZip decompression tool, 89 
FTP (File Transfer Protocol) 

vulnerabilities, 200 
FU rootkit, 240-241 

•(?• 

GetPass login-decryption software, 85 
GFI Email Security Testing Zone, 250 
GFI LANguard Network Security Scanner 
vulnerability-assessment tool 

event logging, 312-313 

firewall testing, 132 

patch checking, 307 

testing Linux systems, 195, 197-198 

testing NetWare systems, 216, 218-219 

testing Windows systems, 
170, 172-173, 191 

testing wirelessLANs, 149 

uses for, 121 

viewing share permissions, 188-189 
goals, ethical hacking, 10-12, 30-32 



Google search engine 
Google Groups, 45 
locating security tools using, 18 
public information searches, 41-42 

government Whois (lookup) sites, 44 

Greenidea, Inc. Web site, 315 

• H* 

Hack Attacks Encyclopedia (Chirillo), 12 
hacked Web sites, defacing of, 25 
hacker Web sites, 26 
hackers. See also ethical hacking 

changing view of, 21-22 

cyberterrorists, 24 

elite hackers, 23 

ethical versus malicious, 9-10 

government agencies, 23 

hacker community, 26 

hackers for hire, 24 

hacktivists, 23-24 

importance of anonymity to, 27-28 

intermediate hackers, 23 

outsourcing, 312-315 

personality profiles, 22-23 

reasons for hacking, 24-26 

script kiddies, 21, 23 

work methods, 26-27 
The Hacker's Choice software 

THC-Amap application-version-mapping 
tool, 195 

THC-Scan war-dialing programs, 
46, 109-110 
hacking tools. See software and testing 
tools 

hardening operating systems, 101, 308-309 
hardening servers, 264 
hardware. See also physical-security 
attacks 

network, vulnerabilities of, 75-77 
for wireless-network attacks, 150 

headers, e-mail, 269-270 

HFNetChk Pro (Shavlik Technologies) 
patch-automation software, 307 

hidden field manipulation, 287-288 

high impact security vulnerabilities, 302 



Index 



honeypots, 27 
Hoovers.com Web site, 42- 



Drop®3$k& 

Hvena securitv-assess 



43, 60 



_ jiux) attacks, 204 
Hyena security-assessment software, 191 
Hypertext Transfer Protocol (HTTP) 
attacks involving, 14 
vulnerabilities, 279-280 



ICAT Metabase list of password 
vulnerabilities, 82 

IDSs (Intrusion Detection Systems), 33 

IEEE 802.11b standard, 157 

IM (instant messaging) 
reducing risks from, 275-277 
vulnerabilities from, 272-275 

IM Logic IM traffic-detection tool, 276 

inbound access (modems), 106 

individualism, 24 

inetd.conf service (Linux), disabling, 

202-203 
inference password attacks, 84 
information-gathering attacks 

banner grabs, 263-264 

footprinting, 41 

identifying vulnerabilities, 49-51 
mapping the network, 43-45 
penetrating security holes, 51-52 
for social-engineering attacks, 60-62 
system scans, 45-49 
Web searches, 41-42 

information-security vulnerabilities 
importance of identifying, 11-12 
network-infrastructure attacks, 13 
nontechnical attacks, 12 
sharing system information, 45 

infrastructure vulnerabilities, 309 

input attacks (Web applications) 
automated input, 286 
code injection, 287 
cross-site scripting (XSS), 287 
hidden field manipulation, 287-288 

instant messaging (IM) 
reducing risks from, 275-277 
vulnerabilities from, 272-275 



insurance, personal liability, 30 

intermediate hackers, 23 

internal hacks, 36 

internal system scans, 46-47 

Internet Relay Chat (IRC), 26. See also 

instant messaging (IM) 
Internet vulnerabilities, 243. See also Web- 
application attacks 
Internet Service Providers (ISPs), 33 
Interpact, Inc. Web site, 315 
intruder lockout, 94 
Intrusion Detection Systems (IDSs) 

for Novell NetWare systems, 224-225 

for service providers, 33 
IP addresses and host names 

capturing using instant messaging, 272 

scanning for, 46 

viewing, 46 
IP Personality Web site, 294 
IRC (Internet Relay Chat), 26. See also 

instant messaging (IM) 
ISO 177799 security framework, 30 
ISPs (Internet Service Providers), 33 
ITS4 security-hole software, 295 
ITsecurity.com security portal, 18 
IZArc decompression tool, 89 



Java applets, malware attacks using, 241 
JavaScript programs, malware attacks 
using, 242 

John the Ripper password-cracking tool, 
17, 85, 88-91 



Kerberos authentication system, 84 
KeyGhost keystroke-logging tool, 97 
KeyLogger Stealth software, 97 
keystroke logging, 97-98 
Kismet wireless LAN security tool 

scanning local airwaves, 153 

uses for, 148 
Knark for Linux rootkit, 240-241 
knowledge versus blind assessments, 35 



Hacking For Dummies 



• L • 




can and Caribbean 
I Registry) lookup 



LANguard Network Security Scanner (GFI) 
vulnerability-assessment tool 
firewall testing, 132 
testing Linux systems, 195, 197-198 
testing NetWare systems, 216, 218-219 
testing Windows systems, 170, 

172-173, 191 
testing wireless LANs, 149 
viewing share permissions, 188-189 
LANs (local area networks). See wireless 

LANs (WLANs) 
laptop computers 
resetting passwords, 100 
testing, 32 
Latin American and Caribbean Internet 
Address Registry (LACNIC) lookup 
site, 44 

LC4 password-cracking tool, 17, 85 

LEAP protocol (Cisco), 157 

legacy application configurations, 115 

legal warnings, 131 

Legion vulnerability-assessment tool, 

171, 176 
likeability, 62 

Linux Security Auditing Tool (LSAT), 195 

Linux systems 
buffer overflows, 208-209 
general security tests, 211-212 
hosts. equiv file attacks, 204-205 
malware attacks, 247-249 
Network File System attacks, 206-207 
operating system access, 102 
password storage locations, 87 
physical-security vulnerabilities, 209-210 
. r hosts file attacks, 204 
rogue file permissions, 207-208 
rootkits for, 240 
security patches, 212-213 
system vulnerabilities, 193-194 
tools for, 194-195 



unauthorized scans, 195-199 

unneeded services, 200-201 
lock-down programs, 98 
logged in NetWare server access, 217 
logging 

e-mail, 271 

instant messages, 275 

system events, 40, 312-313 
logic bombs, 242 
logins 

insecure, 171, 280-282 

unauthorized, 224-225, 229 
lookup sites (Whois lookups), 43-44 
low impact security vulnerabilities, 302 
LSAT (Linux Security Auditing Tool), 195 
lsof tool (Linux) 

testing for malware intrusions, 248 

uses for, 201 

• M • 

MAC (media access control) addresses 

vulnerabilities, 140, 151-152 
Macintosh system lock-down programs, 98 
magazines for hackers, 27 
malicious hackers 
defined, 10 

monitoring for, 312-313 
malware attacks 
automated, 243 
dangers from, 237-239 
defined, 237 
logic bombs, 242 
reporting, 253 
rootkits, 240-241 
spyware, 241 

testing systems for, 245-247 

Trojan houses, 239-240 

using e-mail, 243-244, 270-271 

using instant messages, 272 

using internal security tools, 242-243 

using programming interfaces, 241-242 

using vulnerable ports, 244 

viruses, 239-240 

worms, 240 



Index 34 7 




Malware: Fighting Malicious Code 
(Skoudis), 238 
^a^pjjstf A^oji^oftware, 253-254, 271 
^^t|<^f\e^ITM) attacks, 140 
mapping networks 
Google Groups, 45 
Whois lookups, 43-44, 46 
mapping null sessions, 179-180 
Maven Security Consulting, Inc. 

Web site, 107 
MBSA (Microsoft Baseline Security 

Analyzer) tool, 169-170, 190-191, 308 
media access control (MAC) address 

vulnerabilities, 140, 151-152 
medium impact security 

vulnerabilities, 302 
messaging-system attacks 
banner grabbing, 263-264 
system vulnerabilities, 257-258 
using e-mail, 258-263 
using instant messaging, 272-275 
using Simple Mail Transfer Protocol, 
265-272 

Microsoft. See also Windows (Microsoft) 
systems 

Baseline Security Analyzer (MBSA) tool, 
169-170, 190-191, 308 

.NET application vulnerabilities, 241 

Software Update Services (SUS) 
Server, 308 

Virtual PC system-scanning software, 46 
military Whois (lookup) sites, 44 
Minor Threat (ToneLoc software), 109 
MITM (Man-in-the-Middle) attacks, 140 
Mitnick, Kevin (hacker), 22 
mobile device testing, 32. See also wireless 

LANs (WLANs) 
modems 

identifying COM port, 111 

physical placement, 115 

protecting against war dialing, 114-115 

unsecured, 46, 105-106 

vulnerability testing, 113-114 

for war dialing, 109-110 
monitoring security events, 312-313 
Mucho Maas (ToneLoc software), 109 



A7 



NAT (NetBIOS Auditing Tool) password- 
cracking tools, 85, 86 
National Institute of Standards and 
Technology (NIST) 

ICAT Metabase Web site, 49 

operating system hardening practices, 
101, 264, 308 
National Security Agency 

operating system hardening practices, 
264, 308 

Security Recommendation 
Guidelines, 101 
nbtstat NetBIOS attack program, 175 
NCP packet signing (NetWare), 

enabling, 230 
NCPQuery enumeration software, 216 
Nessus vulnerability-assessment tool 

features, 50, 121 

firewall testing, 132 

malware attacks using, 242 

testing Linux systems, 195, 196-197 

testing Windows systems, 170 
net use command, 247 
net view command, 180-181 
netbasic NLM (NetWare), 227 
NetBIOS 

attacks on, 175-177 

blocking access to, 184 

vulnerability of, 13 
NetBIOS Auditing Tool (NAT) password- 
cracking utilities, 85 
Netcat banner-grabbing tool 

features, 130-131 

firewall testing, 132-133 

malware attacks using, 242 

network scanning, 120 
Netcraft Web server-versioning tool, 48-49 
netfilter/iptables Linux firewall, 199 
NetScanTools Pro 

network scanning program, 120, 128 

ping tool, 46 
NetScreen firewall software, 295 



Hacking For Dummies 




netstat command 
testing for malware intrusions, 245-248 
"e^iMjJ .LmJxjs^rM^-es, 201 
^t^mJb^r^v|fliglQp LAN security tool 
features, 148 
scanning local airwaves, 152-153 
testing unauthorized wireless LAN access 
points, 158 
NetWare Loadable Module (NLM) 
password storage location, 223 
rconsole attacks, 221 
rogue programs, 225-229 
NetWare (Novell) systems 
clear-text packets, 229-230 
debugger, 243 

intruder detection settings, 224-225 

NCPQuery information, 219 

Novell ConsoleOne access, 232-233 

password testing, 85 

port scanning, 217-219 

Remote Console attacks, 221-223 

rogue NLM programs, 225-229 

server-console attacks, 224 

system vulnerabilities, 215-216 

testing tools, 216 
network cards 

promiscuous mode, 135 

testing for malware intrusions, 249 
Network File System (NFS) attacks, 205-206 
Network Mapper (NMap) port scanner 

identifying host IP addresses, 46 

limits of, 37-38 

uses for, 17, 18 
network mapping 

Google Groups, 45 

Web site privacy policies, 45 

Whois (lookup) sites, 43-44 
network scanning software, 120, 250-252 
Network Security For Dummies (Cobb), 

101, 264, 308 
Network Solutions Web site, 43 
Network Users (Optimum X) 

login-scanning tool, 171 

vulnerability-assessment tool, 183-184 
network-analyzer attacks 

how they work, 134-140 

packet sniffing, 98-100 

running, 136-139 

tools for, 17 



network-analyzer tools 

capturing e-mail traffic using, 270 

malware attacks using, 242 

monitoring network traffic, 46 
network-infrastructure attacks 

application-based attacks, 13-14 

ARP (Address Resolution Protocol) 
poisoning/spoofing, 140-144 

banner grabbing, 130-131 

case study, 118 

firewall vulnerabilities, 131-133 

locations for, 36 

network analyzers, 134-140 

operating-system attacks, 13 

password vulnerability, 85-86 

port scanning, 46 

scanning tools, 120 

shares authentication, 48 

Simple Network Management Protocol 
scans, 129 

sniffers, 134-140 

testing process, 32 

vulnerability assessments, 1 19-121 
NFS (Network File System) attacks, 206-207 
Nikto Web-application-evaluation tool 

automated scans, 292-293 

features, 280 
NIST (National Institute of Standards and 
Technology) 

ICAT Metabase Web site, 49 

operating system hardening practices, 
101, 264, 308 
NLM (NetWare Loadable Module) 

password storage location, 223 

rconsole attacks, 221-222 

rogue programs, 225-229 
Nmap (Network Mapper) port scanner 

features, 17-18, 46 

limits of, 37-38 

ping sweeps, 124 

scanning systems using, 173 

testing for malware intrusions, 250-251 

testing Linux systems, 195, 198, 200-201 

testing Windows systems, 169 

using, 120, 126-127 
NMap Win port scanner, 46, 48, 120 
nontechnical attacks, 12 
not-logged in NetWare server access, 217 



Index 



Novell NetWare 
clear-text packets, 229-230 



Dro piwte 

NCPOuerv informatk 



_ settings, 224-225 
NCPQuery information, 219 
Novell ConsoleOne access, 232-233 
password testing, 85 
port scanning, 217-219 
Remote Console attacks, 221-223 
rogue NLM programs, 225-229 
server-console attacks, 224 
system vulnerabilities, 215-216 
testing tools, 216 
NTAAccess password-resetting 

program, 101 
NTFSDOS Profession password-cracking 

utilities, 85 
null session attacks (Windows), 179-184 



0 



Oechslin, Philippe (Swiss Federal Institute 

of Technology), 81 
office layout, risks associated with, 74-75 
omnidirectional antennas, 150 
open ports, scanning for, 48 
open source software 

hacking tools, 37-38 

PasswordSafe encryption tool, 92 
OpenSSH (Linux) vulnerability testing, 196 
operating systems 

access limits, 101 

fingerprinting, 174 

hardening, 264, 303, 308-309 

rootkits attacks, 240-241 

vulnerabilities, 48-49, 198-199 
operating-system attacks, 13 
organizational (end-user) password 

vulnerabilities, 80-81 
Orinoco Registry Encryption/Decryption 

(Lucent) program, 161 
outbound access (modems), 106 
outcomes, identifying before starting 

hacking process, 30 
outsourcing 

ethical hacking, 313-315 

security monitoring, 312-313 



Pandora 

NetWare hacking suite, 229-230 

password-cracking tool, 85 
password attacks 

brute-force attacks, 88 

cracking tools, 85-87 

dictionary attacks, 87-88 

how they work, 86 

inference attacks, 84 

keystroke logging, 97-98 

locations for, 36 

network analyzers, 98-100 

recognizing, 79-80 

resetting programs, 100-101, 226-227 

shoulder surfing, 83-84 

social-engineering attacks, 83-84 

success of, 82 

Trojan horses, 94 
password vulnerabilities 

authentication systems, 84 

Novell NetWare systems, 221-223 

organizational end-users, 80-81 

passwords in limbo, 100 

privacy issues, 64 

protecting against, 79, 91-94 

storage issues, 87, 92, 98 

Windows shares, 177 
password-protected files, 95-97 
Patch Manager (Ecora) patch-automation 

software, 307 
patches, security 

automated, 307-308 

for e-mail attacks, 271 

for Linux systems, 212-213 

managing, 306-307 

for NetWare systems, 220, 234 

for Windows systems, 188-190, 308 
PatchManager (Big Fix) patch-automation 

software, 307 
pcAnyware remote-connectivity 

software, 106 
penetration testing, 10, 34 
perimeter e-mail protection, 263 
personal liability insurance, 30 



Hacking For Dummies 



personnel 
security-awareness training, 56, 66-67, 



DropB$®fc 

iPestPatrol Web sit 



jing attacks, 55-56, 64 

PestPatrol Web site 
Auditor's Edition scanning tool, 251-252 
catalog of pests, 245 
war-dialing programs, 109 
PGP (Pretty Good Privacy) encryption 
for password databases, 92 
using, 19 
phone line vulnerabilities, 114-115 
PhoneSweep 
telephone line-scanning program, 114 
war-dialing software, 46 
phone-switch software, accessing, 62 
PHRACK (magazine), 27 
physical-security attacks 
common, 69-71 
on Linux systems, 209-210 
network components and computers, 
75-77 

versus social-engineering attacks, 55 
types of, 12 

using buildings and offices, 71, 74-75 

using utility systems, 73-74 

on wireless LANs, 160 
Ping of Death DoS attacks, 144 
ping tool 

scanning systems using, 46 

using from external location, 47 
planning and preparation, 15-19 
port scanning 

commonly hacked ports, 122-123 

indications of, 139 

information provided by, 121-122, 
124-125 

mapping programs, 246 

NetWare systems, 217-219, 227 

number assignments, viewing, 48 

for open ports, 46-47 

ping sweeps, 124 

tools for, 46 
portals, security, 18 
PortSentry intrusion-prevention 

software, 199 
Prescan tool (ToneLoc), 108 



Pretty Good Privacy (PGP) encryption 
for password databases, 92 
using, 19 

privacy 
and civil liberty, 26 
need for, during hacking process, 19 
policies, vulnerabilities from, 45 
respecting, during hacking process, 14-15 

Procomm Plus remote-connectivity 
software, 106 

programming interface vulnerabilities, 
241-242 

PromiscDetect network-analyzer attack 

detector, 140 
promiscuous mode, 135 
propagation of malware 

automated, 243 

backdoor access, 244 

using e-mail, 243-244, 255, 270-271 

using instant messaging, 272 
property, physical, protecting, 69-70 
protocols, identifying, 47 
ps malware-intrusion testing tool, 248-249 
public information, locating, 41-43 
pwdump, pwdump2 password-cracking 
tools, 17, 85, 88-91 



Q 



QualysGuard (Qualys) vulnerability- 
assessment tool 
features, 50 

testing Linux systems, 195, 198-199 
testing Windows systems, 170 



RAS (remote access servers), 105 
RATs (remote-access Trojans), 

138, 239-240 
RATS security-hole software, 295 
RC4 encryption algorithm, 155 
Rconj NetWare-management program, 223 
rconsole (Remote Console, NetWare) 

attacks, 221-223 
reconnaissance missions 

banner grabs, 263-264 

footprinting, 41 



Index 




identifying vulnerabilities, 49-51 
mapping the network, 43-45 
""^etoatuac Je&uaity holes, 51-52 
or^ s^cjb^gyySg^yig attacks, 60-62 
system scans, 45-49 
Web searches, 41-42 
Recording Industry Association of America 

(RIAA) copyright lawsuits, 26 
Red Hat Linux system updates, 213 
red teams, 31 

reformed hackers, hiring, 315 
Regional Internet Registry for Africa 

(APNIC) lookup site, 44 
Regional Internet Registry for North 

America (ARIN) lookup site, 44 
Register Fly Web site, 43 
relays (SMTP), vulnerabilities, 266 
remote access servers (RAS), 105 
Remote Console (rconsole, Novell 

NetWare) attacks, 221-223 
Remote password-cracking software, 216 
remote procedure call (RPC) enumeration, 

177-178 
remote-access services, 48 
remote-access Trojans (RATs), 

138, 239-240 
repeat dial tones, 106 
reports, 302-304. See also documentation 
resetting passwords 
cautions about, 100-101 
in NetWare systems, 226-227 
results, test data, evaluating, 20, 302-304 
reverse Whois services, 44 
Rhoades, David (Maven Security Consult, 

Inc.), 107 

. r hosts files (Linux), attacks on, 204 
RIAA (Recording Industry Association of 

America) copyright lawsuit, 26 
RIPE Network Coordination Centre lookup 

site, 43-44 
risks, evaluating and ranking, 300-302 
Rkdet rootkit-detection tool, 254 
robots, txt file, searching for, 283-284 
Rogue Aware (Akonix) IM traffic-detection 

tool, 275-276 
rogue modems, 13 
root passwords, cracking, 82 



rootkits 

detection tools, 254 

uses for, 240-241 
routers, testing, 32 

RPC (remote procedure call) enumeration, 
177-178 

Rpcdump port scanning tool, 171, 178 
r-services (Linux) vulnerabilities, 198, 200 



SAM (Security Account Manager) 

database, 87 
Sam Spade for Windows network scanning 

program, 43, 109, 120, 267 
sandboxes, 241 
SANS Institute 
operating system hardening practices, 

101, 264, 308 
Top 20 Internet Security Vulnerabilities 
consensus list, 50 
SATAN (Security Administrator Tool for 

Analyzing Networks), 18, 38 
scanning local airwaves, 152-154 
scans, system 
banner grabbing, 263-264 
information obtained from, 47-49 
penetrating security holes, 51-52 
using network analyzers, 46-47 
using port scanners, 46-47 
using unsecured modems, 46 
screen captures, as documentation, 40 
script attacks (Web applications), 289-290 
script kiddies, 21, 23 

scripting program vulnerabilities, 241-242 

SearchSecurity.com security portal, 18 

SeattleWireless Hardware Comparison Web 
page, 150 

SEC filings Web site, 60 

second dial tones, 106, 110 

SecurellS (Eeye) Web-application intrusion- 
prevention software, 295 

Security Account Manager (SAM) 
database, 87 

Security Administrator Tool for Analyzing 
Networks (SATAN), 18 

Security Awareness, Inc. Web site, 315 



Hacking For Dummies 



security awareness training, 56, 66-67, 

92-93, 315-316 
spiVitaiJiQles|26^, 36, 51-52 
icil , i i y j J]i[rjslfo^^re, assessing and 

enhancing, 309 
security measures. See also security 
awareness training; security patches 
Address Resolution Protocol protection, 
143-144 

autoresponder attack prevention, 262 
awareness training, 56, 66-67, 92-93, 
315-316 

banner grab prevention, 131, 264 
buffer-overflow attack prevention, 209 
denial of service attack prevention, 145 
disabling SMTP relays, 269 
disabling unneeded services, 201 
e-mail protections, 260-263, 269-272 
firewall testing, 133 

high-impact risks and responses, 305-306 
instant messaging protections, 275-277 
keystroke logging, 97-98 
for Linux systems, 199, 210, 212-213 
malware attack prevention, 253-254 
NetBIOS attack prevention, 176-177 
for NetWare systems, 220, 223-225, 
228-234 

Network File System protection, 207 
network-analyzer attack prevention, 

99-100, 139-140 
network-infrastructure attack 

prevention, 146 
null connection attack prevention, 

184-186 

ongoing ethical hacking, 311-312 
operating system protection, 101-102 
password protection, 91-94, 96-98, 100 
port scanning prevention, 127-128 
. rhosts and hosts . equi v file attack 

prevention, 205-206 
remote procedure call protection, 178 
script attack prevention, 290 
SNMP attack prevention, 129 
social-engineering attack prevention, 

65-67 

URL filter bypass prevention, 290-292 

war dialing prevention, 114-115 

Web directory traversal prevention, 285 



Web-application attack prevention, 
283, 289, 294-295 

for Windows systems, 173-174 

wireless LAN protection, 156-157, 
159-160, 163 

wireless workstation protection, 161-162 
security patches 

automated, 307-308 

for e-mail attacks, 271 

for Linux systems, 212-213 

managing, 306-307 

for NetWare systems, 220, 234 

for Windows systems, 188-190, 308 
security policies, 66 
security portals, 18 
security seals, 30 

security vulnerabilities, ranking, 300-301 
SecurityFocus.com security portal, 18 
SecurityProfiling Syspdate patch- 
automation software, 307 
security-testing tools, overview, 
18-19, 37-38. See also software 
and testing tools 
self-replicating viruses and worms, 239-240 
semidirectional antennas, 150 
sendmail security vulnerabilities, 200 
server-console (NetWare)-attacks, 224 
servers 

identifying software used by, 48 

viewing operating systems, 
applications, 32 
services 

unneeded, disabling, 199, 272 

in use, identifying, 47 
setpwd NLM (NetWare), 226 
setspass NLM (NetWare), 226 
setspwd NLM (NetWare), 226 
shares (Windows) attacks, 176, 186-189 
Shavlik technologies HFNetChk Pro patch- 
automation software, 307 
shoulder surfing, 83 
Sima, Caleb (SPI Dynamics, Inc.), 281 
Simple Mail Transfer Protocol (SMTP)- 
based attacks 

account enumeration attacks, 265-266 

banner grabs, 263-264 

e-mail header disclosures, 269-270 

e-mail relays, 266-269 

types of, 14 



Index 




Simple Network Management Protocol 

(SNMP) attacks, 129 
StojJdj*^Ed^sJc>u]^ty expert 

Slackware Linux system updates, 213 
SMAC MAC-spoofing software, 142-143 
SMTP 

account enumeration attacks, 265-266 

banner grabs, 263-264 

e-mail header disclosures, 269-270 

e-mail relays, 266-269 

types of, 14 
smtpscan banner-grabbing software, 264 
Smurf DoS attack, 137-138, 144 
SNARE intrusion-prevention software, 199 
sniffdet network-analyzer attack 

detector, 140 
SNMP (Simple Network Management 

Protocol) attacks, 129 
social-engineering attacks 

behaviors associated with, 62-64 

case study, 57 

cracking passwords, 83 

deceptive practices, 63-65 

defending against, 65-67 

defined, 12, 55-56 

and ethical hacking, 56-59 

versus physical-security attacks, 55 

system reconnaissance, 43, 60-62 
software and testing tools 

banner grabbing, 264 

behavioral-analysis, 252-253 

capturing e-mail traffic, 270 

cautions when using, 38 

choosing correctly, 325 

desirable features, 38 

e-mail header disclosures, 269-270 

e-mail malware propagation, 243-244 

firewall testing, 132 

instant message monitoring, 275-276 

keystroke logging, 97 

Linux security testing, 195, 213 

Linux service assessments, 200-201 

MAC spoofing, 142-143 

NetWare security testing, 216, 229-230 

network analyzers, 134-135 

null session attacks, 179-180 

password-cracking utilities, 85-87, 95-96 

rootkit detection, 254 



spyware scanning, 250-252 
testing SMTP relays, 266-267 
vulnerability assessment, 50-51, 280 
war dialing, 108-111 
Windows security testing, 168-171 
Wired Equivalent Privacy encryption 

cracking, 156 
wireless LAN security testing, 148-149 
software, malicious 
automated, 243 
dangers from, 237-239 
defined, 237 
logic bombs, 242 
reporting, 253 
rootkits, 240-241 
spyware, 241 

testing systems for, 245-247 

Trojan houses, 239-240 

using e-mail, 243-244, 270-271 

using instant messages, 272 

using internal security tools, 242-243 

using programming interfaces, 241-242 

using vulnerable ports, 244 

viruses, 239-240 

worms, 240 
Spector Pro (SpectorSoft) 

keystroke-logging tool, 97 

spyware, 241 
SPI Dynamics 

Web site URL, 65 

Weblnspect application-evaluation 
tool, 280 
spider programs, 284 
Spies Among Us (Winkler), 57 
Spitzner, Lance, Web site, 27 
sponsorship for ethical hacking 

importance of obtaining, 15 

tips for obtaining, 319-322 

written approvals, 323 
spyware, 241 

startup files, testing for malware 

intrusions, 247-248 
stealthy versus open hacking approaches, 

40-41 

A Step-by-Step Guide to Computer Attacks 
and Effective Defenses (Skoudis), 238 

strangers, responding to with caution, 
67, 75 



Hacking For Dummies 



SuperScan port scanner 
features, 17, 125-126 




intrusions, 250-251 



ping sweeps and port scanning, 46, 120 
testing Linux systems, 195, 195-196 
testing NetWare systems, 216, 218 
testing Windows systems, 170-173 

SUS (Microsoft Software Update Services) 
Server, 308 

SuSE/Novell Linux system updates, 213 

switches, in Google searches, 42 

SYN flood DoS attacks, 144 

SYSKEY encryption tool, 101 

system auditing feature (NetWare), 233-234 

system crashes, 14-15 

system login files, 88 

system scans 
information obtained from, 47-49 
IP addresses and host names, 46 
Linux systems, 195 
network analyzers for, 46-47 
penetrating security holes, 51-52 
port scanners for, 46-47 
unsecured modems, 46 
Windows systems, 171-173 

Sys Trust security seal, 30 

SysUpdate patch-management tool, 213 

SysUpdate (SecurityProfiling) patch- 
automation software, 307 

• r» 

tablet PCs, testing, 32 

tarpitting, 262 

TCP port scans, 125-128 

TCP Wrappers access-control tool, 203 

tcpcon NLM (NetWare), testing, 227-228 

TCP/IP communications 

NetWare parameter settings, 234 

protocol vulnerabilities, 13 
technical password vulnerabilities, 82 
Techno Security Web site, 71 
telephone system vulnerabilities, 61-62, 106 
telnet tool 

banner grabbing, 130 

SMTP relay testing, 267-269 

security vulnerabilities, 200 



Temporal Key Integrity Protocol (TKIP) 

encryption, 157 
testing. See also ethical hacking; software 
and testing tools 

capturing clear-text packets, 229-230 

choosing test systems, 32-33 

crashing system during, 15 

for DoS attacks, 145 

for e-mail header disclosures, 269-270 

for firewall vulnerabilities, 132-133 

goals for, 30-32 

IM (instant messaging) security, 274-275 

for insecure Web logs in, 280-282 

Linux security, 195-201 

locations for, 36 

logging and documenting, 40 

for malware intrusions, 244-253 

for NetBIOS attacks, 174-176 

NetWare security systems, 216-224 

process of, 19 

results from, 19-20, 299-301 
retesting, 20, 324 
for rogue file permissions, 207 
for rogue NLMs, 226 
for share permissions, 187-189 
for SMTP relays, 266-267, 266-269 
timing and timelines for, 33-36, 326 
for unauthorized access points, 158-159 
for unprotected shares, 187-189 
for URL filter bypasses, 290-292 
for vulnerable malware ports, 244 
Web directory security, 283-284 
Windows system security, 171-173, 
180-184, 189-191 

TFN (Tribe Flood Network) DoS 
attacks, 144 

Tiger Linux security-auditing tool, 
195,211-212 

tiger teams, 31 

Timbuktu for Apple remote-connectivity 

software, 106 
timing and timelines, 33-36, 326 
TippingPoint Technologies firewall 

software, 295 
TKIP (Temporal Key Integrity Protocol) 

encryption, 157 
tonel oc command, 112 



index 355 




ToneLoc (Minor Threat, Mucho Maas) 
Phun-Pak Prescan utility, 108 
WiMJ^QgWHjn, 108-111 
S^-Vj^Sly Pg^^oc program), 112 
tools, security. See software and testing 

tools 
traffic 
e-mail, monitoring, 270 
instant messaging, monitoring, 275-276 
network, restricting, 127-128 
wireless, 154, 155-156 
Tribe Flood Network (TFN) DoS 

attacks, 144 
Trinoo DoS attacks, 144 
Tripwire file-monitoring program, 208 
Trojan horse attacks 
features, 239-240 
password-cracking, 94 
tester software, 244-245 
types of, 245 

using instant messaging, 272 
TrueActive spyware, 241 
trust 

and ethical hacking, 14 
and social-engineering attacks, 62-63 
2600 - The Hacker Quarterly (magazine), 27 



140 



Ubizen DMZ/Shield Enterprise Web- 
application intrusion-prevention 
software, 295 

unauthorized logins (Novell NetWire), 229 

UNIX systems 
cracking passwords on, 90 
e-mail packet sniffers, 270 
MAC-address spoofing, 142 
network-analyzer attack detectors, 
for operating system access, 102 
password-storage locations, 87 
ping utilities, 46 
rootkits for, 240-241 
network analyzer attacks, 134-135 
wireless LAN security tools, 148 

unlimited attack approach, 16, 35 

unneeded services 
disabling, 272 

security vulnerabilities, 200-201 



URL filter bypasses, 290-292 
U.S. government, hacking by, 23 
U.S. Patent Office Web site, 43 
user accounts 

password protection strategies, 92-94 

unused, eliminating, 94 
user IDs for Web logins, viewing, 280-282 
utilities, physical, protecting, 73-74 



V 



VBScripts, malware attacks using, 242 
viruses, 240 
Vision (Foundstone) 
port-mapping software, 246-247 
system-analyzer software, 169 
Visual Basic, VBScript vulnerabilities, 242 
VLAD the Scanner Linux security-auditing 

tool, 212, 195 
VMware Workstation system-scanning 

software, 46 
voice-mail systems, vulnerabilities, 106 
VPN services, identifying, 48 
VRFY command (SMTP), 265-266 
vulnerability-assessment tools. See also 
GFI LANguard Network Security 
Scanner vulnerability-assessment tool 
DumpSec, 48, 171, 182-183, 187 
Legion, 171, 176 

Network Users (Optimum X), 183-184 
QualysGuard, 50, 170, 195, 198-199 
Walksam, 171, 183 
vulnerable systems, criteria for 
identifying, 33 



W 



Walksam vulnerability-assessment tool, 

171,183 
WANRemote RAT attacks, 138 
war dialing 

attack process, 106-108 

case study, 107 

configuring programs for, 110-111 
defined, 105 

dialing-in process, 110-113 
documenting testing process, 34 
information gathering stage, 108-109 



Hacking For Dummies 



war dialing (continued) 

modems for, 109 

bry yrtjru*^ Jatfist^ 1 14-115 

fecOT ^a^pfrpg^ports, 46-47 

software tools, 109 
wardriving (directional) antennas, 150 
weak authentication, 84 
weak passwords, 88 
Web access (NetWare), 217 
Web browsers, obtaining system 

information from, 41 
Web login-cracking tools, 281 
Web pages, defaced, 25 
Web servers 

configuration settings, 285 

identifying software versions, 48 

testing configurations, 32 

testing directory security, 283-284 
Web site privacy policies, information 

from, 45 
Web sites 

antivirus software testing, 250 

banner-grabbing software, 264 

behavioral-analysis tools, 252 

Cantenna kits, 150 

decompression tools, 89 

defaced Web pages, 25 

default system passwords, 100 

dictionary word lists, 88 

ElcomSoft password-cracking utilities, 95 

FedCIRC Incident Handling site, 244-245 

fingerprint-changing tools, 294 

firewall testers, 133 

hacker community sites, 26 

hacker magazines, 27 

hardening practices information, 101, 264 

ICAT Metabase list of password 
vulnerabilities, 82 

INM traffic-detection tools, 275-276 

keystroke logging tools, 97 

Lance Spitzner's, 27 

Linux security tools, 195, 199, 213 

lock-down programs, 98 

logging resources, 312-313 

MAC-spoofing software, 142-143 

malware-protection software, 254 

NetWare management programs, 223 

password-cracking tools, 85, 282 

password-resetting program, 101 



patch-automation applications, 307 
port-mapping software, 246 
port-number assignment listings, 48 
Pringles-can design antenna, 150 
rconsole attack information, 223 
Security Accounts Manager (SAM) 

database, 87 
security training vendors, 315 
service-disabling utilities, 202-203 
SMTP relay information, 266-267, 269 
SNMP scanners, 129 
for understanding specific malware 

attacks, 245 
for understanding system vulnerabilities, 

49-50 

war-dialing programs, 109 
Web-application security tools, 280, 295 
Web-crawling tools, 284 
Whois (lookup) sites, 43-44 
Windows security tools, 169-171, 

181, 183, 190 
Wired Equivalent Privacy encryption 

cracking tools, 156 
wireless hardware information, 150 
wireless LAN security tools, 148-149, 151 
Web-application attacks 
assessment tools, 17 
automated scans, 292-293 
cracking Web logins, 280-283 
directory traversals, 283-285 
input attacks, 285-289 
types of, 279-280 
URL filter bypasses, 290-292 
using default scripts, 289-290 
Web-crawling utilities, 42 
Weblnspect (SPI Dynamics) Web- 
application-evaluation tool, 
280, 17, 292-293 
Web-server security features, 294 
WebTrust security seal, 30 
Wellenreiter wireless LAN security 

tool, 148 
WEP (Wired Equivalent Privacy) 

encryption, 155-156, 161 
WepAttack wireless LAN-cracking tool, 156 
WEPCrack password-cracking tool, 156 
WhatIsMyIP.com Web site, 46 
Whister Web-application-assessment 
tool, 17 



Index 357 




white-hat hackers, 10. See also ethical 
hacking 

~|^ok*mlQ0W43-44, 109 
L£)(r^(cj)b|i\ ( S> s s (WPA), 157 
WiFiMaps Web site, 151 
WiGLE wireless LAN database Web site, 
151-152 

WildPackets EtherPeek network-analysis 
program, 120-121 

Wiles, Jack (The Training Co.), 71 

Win Sniffer password capture software, 85 

Windows (Microsoft) systems 
cracking passwords on, 89-90 
e-mail packet sniffers, 270 
lock-down programs, 98 
MAC-address spoofing, 142-143 
malware infection detectors, 245-247 
NetBIOS attacks, 174-177 
network-analyzer attacks, 134-135, 140 
null session attacks, 179-186 
operating system vulnerabilities, 

101-102, 167-168 
password resetting program, 101 
password vulnerabilities, 81, 87 
ping utilities, 46 

remote procedure call enumeration, 
177-178 

rootkits for, 240-241 

security tools, 148-149, 168-171 

share permission vulnerabilities, 187-189 

system scanning process, 171-174 
Windows Registry 

blocking access, 184-185 

examining for malware attacks, 247 
Windows Resource Kit security tools, 170 
Windows Script Host (WSH) malware 

attacks, 242 
Windows Server 2003 

enhanced security, 179, 184 

share permissions, 187 
Windows System Information tool, 111 
Windows Task Manager, 246 
Windows 2000/NT 

null connection attacks, 185-186 

security-testing tools, 171 

share permissions, 186-187 

unprotected shares, 188-189 
Windows Update security patches, 
188-190, 308 



Windows workstation security 

enhancements, 188 
Windows XP security enhancements, 188 
Winfo NT security-testing tool, 

171, 181-182 
Winkler, Ira (social engineer, author), 57 
WinNuke DoS attacks, 144 
Wired Equivalent Privacy (WEP) 

encryption, 155-156, 161 
wireless access points, testing, 32 
wireless LANs (WLANs) 
ad-hoc mode, 153 

configuration vulnerabilities, 162-163 
hacking tools and hardware, 148-158 
physical-security attacks, 160 
reconnaissance missions, 151-154 
types of, 154-155 

unauthorized access points, 158-160 

unencrypted traffic, 155-157 

vulnerabilities, 13, 147-148 

Wired Equivalent Privacy encryption, 
155-156 

wireless workstations, 161-162 
working ethically, 14 
workstations 

testing, 32 

wireless, 161-162 
worms, 94, 240 
Wotsit's Format Web site, 245 
WPA (Wi-Fi Protected Access), 157 
WSH (Windows Script Host) malware 
attacks, 242 



xinetd configuration tool, replacing, 203 
XSS (cross-site scripting) Web-application 
attacks, 288 

.y. 

Yahoo! Finance Web site, 42-43, 60 

• Z» 

zombie computers, 28, 65 



Hacking For Dummies 



DropBooks 




FOR 




1Sf cocy v,ay to get more done and have morefun 



PERSONAL FINANCE 



Personal 
Finance 

DUMtf lES " 



Investing I Home Buying 




0-7645-5231-7 



0-7645-2431-3 



0-7645-5331-3 



Also available: 

Estate Planning For Dummies 

(0-7645-5501-4) 

401 (k)s For Dummies 

(0-7645-5468-9) 

Frugal Living For Dummies 

(0-7645-5403-4) 

Microsoft Money "X" For 

Dummies 

(0-7645-1689-2) 

Mutual Funds For Dummies 

(0-7645-5329-1) 



Personal Bankruptcy For 

Dummies 

(0-7645-5498-0) 

Quicken "X" For Dummies 

(0-7645-1666-3) 

Stock Investing For Dummies 

(0-7645-5411-5) 

Taxes For Dummies 2003 

(0-7645-5475-1) 



BUSINESS & CAREERS 



Accounting I Grant Writing Resumes 

dumM^s I duties I dumM Ies 



m 



r Jft J 

A Rtferencr for I tic fir 1 1 ol Ut! 




0-7645-5314-3 0-7645-5307-0 0-7645-5471-9 



HEALTH, SPORTS & FITNESS 



Also available: 

Business Plans Kit For 

Dummies 

(0-7645-5365-8) 

Consulting For Dummies 

(0-7645-5034-9) 

Cool Careers For Dummies 

(0-7645-5345-3) 

Human Resources Kit For 

Dummies 

(0-7645-5131-0) 

Managing For Dummies 

(1-5688-4858-7) 



QuickBooks All-in-One Desk 

Reference For Dummies 

(0-7645-1963-8) 

Selling For Dummies 

(0-7645-5363-1) 

Small Business Kit For 

Dummies 

(0-7645-5093-4) 

Starting an eBay Business For 

Dummies 

(0-7645-1547-0) 





DUMMIES 




A Reference for the Rest of Ut! 




A Reference ^^^^^^^^9 



0-7645-5167-1 



0-7645-5146-9 



0-7645-51 54-X 



Also available: 

Controlling Cholesterol For 

Dummies 

(0-7645-5440-9) 

Dieting For Dummies 

(0-7645-5126-4) 

High Blood Pressure For 

Dummies 

(0-7645-5424-7) 

Martial Arts For Dummies 
(0-7645-5358-5) 
Menopause For Dummies 
(0-7645-5458-1) 



Nutrition For Dummies 

(0-7645-5180-9) 

Power Yoga For Dummies 

(0-7645-5342-9) 

Thyroid For Dummies 

(0-7645-5385-2) 

Weight Training For Dummies 

(0-7645-5 168-X) 

Yoga For Dummies 

(0-7645-5117-5) 



Available wherever books are sold. 

Go to www.dummies.com or call 1-877-762-2974 to order direct. 



©WILEY 



I 



HOME, GARDEN & HOBBIES 



FengShui I Gar( j e ning I Guitar 

DUMMIES I cuMHIES I DUMft lES 



e tot the Retr of U%! 



0-7645-5295-3 0-7645-5 1 30-2 



FOOD & WINE 



0-7645-51 06-X 



Also available: 

Auto Repair For Dummies 

(0-7645-5089-6) 

Chess For Dummies 

(0-7645-5003-9) 

Home Maintenance For 

Dummies 

(0-7645-5215-5) 

Organizing For Dummies 

(0-7645-5300-3) 

Piano For Dummies 

(0-7645-5105-1) 



Poker For Dummies 

(0-7645-5232-5) 

Quilting For Dummies 

(0-7645-5118-3) 

Rock Guitar For Dummies 

(0-7645-5356-9) 

Roses For Dummies 

(0-7645-5202-3) 

Sewing For Dummies 

(0-7645-51 37-X) 



Cooking " Cookies Wine 
D UMtf l£ S' I DUMMIES I x>UMH IeS 




0-7645-5250-3 



0-7645-5390-9 



0-7645-5114-0 



Also available: 

Bartending For Dummies 
(0-7645-5051-9) 
Chinese Cooking For 
Dummies 
(0-7645-5247-3) 

Christmas Cooking For 

Dummies 

(0-7645-5407-7) 

Diabetes Cookbook For 

Dummies 

(0-7645-5230-9) 



Grilling For Dummies 

(0-7645-5076-4) 

Low-Fat Cooking For 

Dummies 

(0-7645-5035-7) 

Slow Cookers For Dummies 

(0-7645-5240-6) 



TRAVEL 





0-7645-5453-0 



0-7645-5438-7 



0-7645-5448-4 



Also available: 

America's National Parks For 

Dummies 

(0-7645-6204-5) 

Caribbean For Dummies 
(0-7645-5445-X) 
Cruise Vacations For 
Dummies 2003 
(0-7645-5459-X) 
Europe For Dummies 
(0-7645-5456-5) 
Ireland For Dummies 
(0-7645-6199-5) 
France For Dummies 
(0-7645-6292-4) 



London For Dummies 

(0-7645-5416-6) 

Mexico's Beach Resorts For 

Dummies 

(0-7645-6262-2) 

Paris For Dummies 

(0-7645-5494-8) 

RV Vacations For Dummies 

(0-7645-5443-3) 

Walt Disney World & Orlando 

For Dummies 

(0-7645-5444-1) 



Available wherever books are sold. Go to www.dummies.com or call 1-877-762-2974 to order direct. 



K 



roo 



COMPUTER BASICS 




neFlat-ScreeniMac I ^dpWsXP,,, 

DUMMIES I DUMMIES 




0-7645-0838-5 0-7645-1663-9 



0-7645-1548-9 



Also available: 

PCs All-in-One Desk 

Reference For Dummies 

(0-7645-0791-5) 

Pocket PC For Dummies 

(0-7645-1 640-X) 

Treo and Visor For Dummies 

(0-7645-1673-6) 

Troubleshooting Your PC For 

Dummies 

(0-7645-1669-8) 



Upgrading & Fixing PCs For 
Dummies 
(0-7645-1665-5) 
Windows XP For Dummies 
(0-7645-0893-8) 
Windows XP For Dummies 
Quick Reference 
(0-7645-0897-0) 



BUSINESS SOFTWARE 



Excel2002 Word2002 OfficeXP 

jjuHMfcS I DUMMIES I DUMH IES 




0-7645-0822-9 



0-7645-0839-3 



0-7645-0819-9 



Also available: 

Excel Data Analysis For 
Dummies 
(0-7645-1661-2) 
Excel 2002 All-in-One Desk 
Reference For Dummies 
(0-7645-1794-5) 
Excel 2002 For Dummies 
Quick Reference 
(0-7645-0829-6) 
GoldMine'X'For Dummies 
(0-7645-0845-8) 



Microsoft CRM For Dummies 

(0-7645-1698-1) 

Microsoft Project 2002 For 

Dummies 

(0-7645-1628-0) 

Office XP For Dummies 

(0-7645-0830-X) 

Outlook 2002 For Dummies 

(0-7645-0828-8) 







Get smart! Visit www.dummies.com 








• Find listings of even more For Dummies titles 


(T 




TM 


• Browse online articles 

• Sign up for Dummies eTips 

• Check out For Dummies fitness videos and other products 

• Order from our online bookstore 










Available wherever books are sold. Go to www.dummies.com or call 1-877-762-2974 to order direct. 




FOR 




r^,I^*nd your horizons and reo/.ze your potent^ 



INTERNET 



The Internet I T^e /nternet 





0-7645-0894-6 0-7645-1659-0 0-7645-1642-6 



DIGITAL MEDIA 



Also available: 

America Online 7.0 For 

Dummies 

(0-7645-1624-8) 

Genealogy Online For 

Dummies 

(0-7645-0807-5) 

The Internet All-in-One Desk 

Reference For Dummies 

(0-7645-1659-0) 

Internet Explorer 6 For 

Dummies 

(0-7645-1344-3) 



The Internet For Dummies 

Quick Reference 

(0-7645-1645-0) 

Internet Privacy For Dummies 

(0-7645-0846-6) 

Researching Online For 

Dummies 

(0-7645-0546-7) 

Starting an Online Business 

For Dummies 

(0-7645-1655-8) 




Digital 
Photography 



0-7645-1664-7 



GRAPHICS 



0-7645-1675-2 



0-7645-0806-7 



Also available: 

CD and DVD Recording For 

Dummies 

(0-7645-1627-2) 

Digital Photography 

All-in-One Desk Reference 

For Dummies 

(0-7645-1800-3) 

Digital Photography For 

Dummies Quick Reference 

(0-7645-0750-8) 

Home Recording for 

Musicians For Dummies 

(0-7645-1634-5) 



MP3 For Dummies 
(0-7645-0858-X) 
PaintShop Pro "X" For 
Dummies 
(0-7645-2440-2) 
Photo Retouching & 
Restoration For Dummies 
(0-7645-1662-0) 
Scanners For Dummies 
(0-7645-0783-4) 



A Reference 

_ /or Iff, , . 

Rest of Us! 




PowerPoint 2002 I phQ 

DUMMIES I m 



A Reference 
^far the, . . 

Rest of Us. 




Also available: 

Adobe Acrobat 5 PDF For 

Dummies 

(0-7645-1652-3) 

Fireworks 4 For Dummies 

(0-7645-0804-0) 

Illustrator 10 For Dummies 

(0-7645-3636-2) 



QuarkXPress 5 For Dummies 

(0-7645-0643-9) 

Visio 2000 For Dummies 

(0-7645-0635-8) 



0-7645-0817-2 



0-7645-1651-5 



0-7645-0895-4 



Available wherever books are sold. Go to www.dummies.com or call 1-877-762-2974 to order direct. 



FOR 




i!li^ V j c ff" d Nations you nee d to succeed 



DropBuHRS 



SELF-HELP, SPIRITUALITY & RELIGION 





Parenting T Religion 



I 3 _ <l 



0-7645-5302-X 0-7645-5418-2 0-7645-5264-3 

PETS 



Also available: 

The Bible For Dummies 

(0-7645-5296-1) 

Buddhism For Dummies 

(0-7645-5359-3) 

Christian Prayer For Dummies 

(0-7645-5500-6) 

Dating For Dummies 

(0-7645-5072-1) 

Judaism For Dummies 

(0-7645-5299-6) 



Potty Training For Dummies 

(0-7645-5417-4) 

Pregnancy For Dummies 

(0-7645-5074-8) 

Rekindling Romance For 

Dummies 

(0-7645-5303-8) 

Spirituality For Dummies 

(0-7645-5298-8) 

Weddings For Dummies 

(0-7645-5055-1) 



Puppies I oogTraining I QOtS 
DUMMIES I DUMMIES I DUMHfcS 




0-7645-5255-4 




Reference for the Rett of Utl A Rtftrtnct for tht Rttt of U%f 



0-7645-5286-4 



0-7645-5275-9 



Also available: 

Labrador Retrievers For 

Dummies 

(0-7645-5281-3) 

Aquariums For Dummies 

(0-7645-5156-6) 

Birds For Dummies 

(0-7645-5139-6) 

Dogs For Dummies 

(0-7645-5274-0) 

Ferrets For Dummies 

(0-7645-5259-7) 



EDUCATION & TEST PREPARATION 



German Shepherds For 

Dummies 

(0-7645-5280-5) 

Golden Retrievers For 

Dummies 

(0-7645-5267-8) 

Horses For Dummies 

(0-7645-5138-8) 

Jack Russell Terriers For 

Dummies 

(0-7645-5268-6) 

Puppies Raising & Training 

Diary For Dummies 

(0-7645-0876-8) 



Spanish Algebra 
DUMPS' I 





0-7645-5194-9 



0-7645-5325-9 



0-7645-5210-4 



Also available: 

Chemistry For Dummies 

(0-7645-5430-1) 

English Grammar For 

Dummies 

(0-7645-5322-4) 

French For Dummies 

(0-7645-5193-0) 

The GMAT For Dummies 

(0-7645-5251-1) 

Ingles Para Dummies 

(0-7645-5427-1) 



Italian For Dummies 

(0-7645-5196-5) 

Research Papers For 

Dummies 

(0-7645-5426-3) 

The SAT I For Dummies 

(0-7645-5472-7) 

U.S. History For Dummies 

(0-7645-5249-X) 

World History For Dummies 

(0-7645-5242-2) 



Available wherever books are sold. Go to www.dummies.com or call 1-877-762-2974 to order direct. 




FOR 




r ^teKe WW out of complicated subverts 



WEB DEVELOPMENT 



Creating Web Pages I HTML 4 \ Dreamweaver MX 



A Reference 
ResiofUs! 




0-7645-1643-4 



0-7645-0723-0 0-7645-1630-2 



PROGRAMMING & DATABASES 



Also available: 

ASP.NET For Dummies 
(0-7645-0866-0) 
Building a Web Site For 
Dummies 
(0-7645-0720-6) 
ColdFusion "MX" For 
Dummies (0-7645-1672-8) 
Creating Web Pages 
All-in-One Desk Reference 
For Dummies 
(0-7645-1 542-X) 



FrontPage 2002 For Dummies 

(0-7645-0821-0) 

HTML 4 For Dummies Quick 

Reference 

(0-7645-0721-4) 

Macromedia Studio "MX" 

All-in-One Desk Reference 

For Dummies 

(0-7645-1799-6) 

Web Design For Dummies 

(0-7645-0823-7) 



C++ ~ XML Access2002 




A Reference 

Rest of Us! A^=d 9 




A Reference 



0-7645-0746-X 



0-7645-1657-4 



0-7645-0818-0 



LINUX, NETWORKING & CERTIFICATION 



Also available: 

Beginning Programming For 

Dummies 

(0-7645-0835-0) 

Crystal Reports "X" 

For Dummies 

(0-7645-1641-8) 

Java & XML For Dummies 

(0-7645-1658-2) 

Java 2 For Dummies 

(0-7645-0765-6) 

JavaScript For Dummies 

(0-7645-0633-1) 

Oracle9/' For Dummies 

(0-7645-0880-6) 



Perl For Dummies 

(0-7645-0776-1) 

PHP and MySQL For 

Dummies 

(0-7645-1650-7) 

SQL For Dummies 

(0-7645-0737-0) 

VisualBasic .NET For 

Dummies 

(0-7645-0867-9) 

Visual Studio .NET All-in-One 

Desk Reference For Dummies 

(0-7645-1626-4) 




0-7645-1545-4 



0-7645-0772-9 



0-7645-0812-1 



Also available: 

CCNP All-in-One Certification 

For Dummies 

(0-7645-1648-5) 

Cisco Networking For 

Dummies 

(0-7645-1 668-X) 

CISSP For Dummies 
(0-7645-1670-1) 
CIW Foundations For 
Dummies with CD-ROM 
(0-7645-1635-3) 



Available wherever books are sold. 

Go to www.dummies.com or call 1-877-762-2974 to order direct. 



Firewalls For Dummies 

(0-7645-0884-9) 

Home Networking For 

Dummies 

(0-7645-0857-1) 

Red Hat Linux All-in-One 

Desk Reference For Dummies 

(0-7645-2442-9) 

TCP/IP For Dummies 

(0-7645-1760-0) 

UNIX For Dummies 

(0-7645-0419-3) 

©WILEY 



